Analysis Overview
SHA256
9c1a052b4f6fbbe3c6437b3af2a3f93f2218b3c175073e7daeb6361f999a94c5
Threat Level: Known bad
The file 9c1a052b4f6fbbe3c6437b3af2a3f93f2218b3c175073e7daeb6361f999a94c5.exe was found to be: Known bad.
Malicious Activity Summary
Detects executables containing possible sandbox analysis VM usernames
Epsilon Stealer
Detects executables referencing combination of virtualization drivers
Looks for VirtualBox Guest Additions in registry
Detects executables containing possible sandbox analysis VM usernames
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VMWare Tools registry key
Identifies Wine through registry keys
Loads dropped DLL
Checks BIOS information in registry
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Detects videocard installed
Enumerates system info in registry
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-12 01:27
Signatures
Detects executables containing possible sandbox analysis VM usernames
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
136s
Max time network
162s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2120 wrote to memory of 4972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 4972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 4972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4972 wrote to memory of 3524 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 4972 wrote to memory of 3524 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 4972 wrote to memory of 3524 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4276 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
203s
Command Line
Signatures
Epsilon Stealer
Detects executables referencing combination of virtualization drivers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Wine | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=gpu-process --field-trial-handle=1660,9257863704054832544,5511965963363031335,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,9257863704054832544,5511965963363031335,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --mojo-platform-channel-handle=1956 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1660,9257863704054832544,5511965963363031335,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2488 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM chrome.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM msedge.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
C:\Windows\system32\cmd.exe
cmd /c chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1660,9257863704054832544,5511965963363031335,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --mojo-platform-channel-handle=3120 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x4a0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-8k06tr.l31eb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1n2g2z1.vjj5.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-129yjk8.jb8a.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-hbourr.rheb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-wd7q87.a8uo.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-x054rl.99z9.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ex5m1v.ie7dk.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1g4hkhe.t9cn.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1drgr5n.j3lni.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-kwmgeg.qf66d.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1dou26v.5oyy.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-cglgoa.a95kf.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7683.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCF8170C7569BF48FE98D4759ED736988.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-a36w6w.962va.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1l74aku.502p.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-14w5ql4.dixq.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-suh3wa.64wsi.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-3itzg2.dqr0s.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ruvhzr.hg6t.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-k63fl5.30q8j.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-wd7q87.a8uo.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-rjzoo3.lp22i.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ydfnns.5k32.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-n6ppcn.hana.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-i4h0wj.99ags.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-133wenx.dj3x.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-12nerny.umz3g.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ijksy3.ucnqs.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-x054rl.99z9.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ab6knu.m6kh.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1l0xi5.mq0db.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1uslgvc.sy6ml.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-y5y3vh.cmf7g.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ojnico.v12ag.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-14jtcv7.vl9a.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1drgr5n.j3lni.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-eeyvip.0r78k.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-xxx8pt.1uy2.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-kwmgeg.qf66d.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ye9164.k4t4.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-rs7few.i984.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-p5ypon.avz5r.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-oddwib.jtyn.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1dou26v.5oyy.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-4b5vye.udtav.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-zzrzxw.t5t2j.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-16j46r3.y4y3.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-a36w6w.962va.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-7bt4au.6xk.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-z5p62k.6p16.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-7y8icx.xwcvu.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-13jsmm9.vgt5h.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1eynr8s.hfca.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-cglgoa.a95kf.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1v79msz.fyrf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1svvvq1.jj03m.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-qnasd1.vwo29.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1rmxe66.dr39.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-115ycf.go0jgj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-u78q39.g9hn.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1tq1fk8.httck.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1kbv9g7.10hsk.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-10a05sb.s8qcl.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-k48poj.gjrb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1hn4pp3.twwg.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1xcusbl.9ql1.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1l74aku.502p.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1mgcawi.ouer.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1l6vdgu.hf3f.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-rjzoo3.lp22i.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1baud55.okz.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-14w5ql4.dixq.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-suh3wa.64wsi.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-j4l5uv.1y63d.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-iampav.8oop.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1bdryow.jeyx.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-c0eqgx.r5t7p.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-e3fcdj.j0ite.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ruvhzr.hg6t.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1l08b27.qefz.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-hdcvqk.qtu8l.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1as1a6r.qf8eg.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-12kehpj.y9sd.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-znhlt.zlkxbo.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-3itzg2.dqr0s.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-2k95cz.4hq6.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ktvq8i.mx70m.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-y0sun9.dxto.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1n4v8kv.40y4.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-12g8kyy.axu3.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-d62aqq.ig7wi.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-k63fl5.30q8j.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-pbeol1.ei21i.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1mz36jn.untd.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1i0y0dv.mbqn.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-chf88m.jacf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1jjyukt.vn1d.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-sac4qr.eqo3.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1xextbk.t2pr.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-lf5pk6.ui5sf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ryqpwo.ohh4h.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ydfnns.5k32.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-n6ppcn.hana.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1o8zcgy.qpfu.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-i4h0wj.99ags.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-a158hg.kyxl4.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ujmwbq.ocme.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-q04m5p.jnhe.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-18br23g.9zdj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ax34jq.x794.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-qzo5lw.z4ao.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-11t5wu9.7kmj.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-12nerny.umz3g.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-17kyzmx.4nd5g.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-h1m7v5.fvjan.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-133wenx.dj3x.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-h8itrx.rnye8.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1j9gie6.eawh.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ijksy3.ucnqs.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1bp06s2.6699.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ykk1js.ch8f.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-4ussqy.lipt8.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1vl7igq.dlbig.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ab6knu.m6kh.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-l5lba6.p2eya.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1svvvq1.jj03m.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1trupqq.wkp9.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-11jni42.xm1r.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1l0xi5.mq0db.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1jfdzx6.chbl.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-nil9nt.nkotd.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-16zv7ro.wwj7h.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-lofx5.84s0rg.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1votdqv.bka2.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1abif8v.ddgj.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1uslgvc.sy6ml.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-iw96ar.8kdi.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ojnico.v12ag.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-lf5pk6.ui5sf.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-81wh38.9vla6.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-y5y3vh.cmf7g.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-p5ypon.avz5r.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-7761r8.tshda.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-14d4l43.ot5q.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-oewfr3.wxwk.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1eynr8s.hfca.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-4b5vye.udtav.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1xm261b.h6dti.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-7bt4au.6xk.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-7y8icx.xwcvu.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1rmxe66.dr39.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-6qdpwq.tekt.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1xcusbl.9ql1.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-k48poj.gjrb.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-9nm991.i47n.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1hg86g5.5xfc.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-14q0rcd.vuycj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-188apa6.wwc6.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-k13mbh.q5xg.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-y2h57h.x1g49.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1hn4pp3.twwg.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1xextbk.t2pr.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1geih2e.j08r.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-sac4qr.eqo3.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-qo6zfx.rlalj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-14ur540.i2nb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-xncvf9.ozeyp.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ou4c4j.gbft.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1fybub7.g6ogj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-86qz7r.ij99r.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-qzo5lw.z4ao.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-18br23g.9zdj.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-12kehpj.y9sd.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ax34jq.x794.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-e1r31u.fhijq.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-e3fcdj.j0ite.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1dg0uum.6a9q.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1wf9z50.qmnoi.jpg" "
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=gpu-process --field-trial-handle=1660,9257863704054832544,5511965963363031335,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4928 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-nil9nt.nkotd.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-lofx5.84s0rg.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-16zv7ro.wwj7h.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1jfdzx6.chbl.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-4ussqy.lipt8.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1vl7igq.dlbig.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1cda100.w4op.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-f9a95w.vuq47.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1jjyukt.vn1d.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1votdqv.bka2.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1t74l45.nrpof.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-qngmm1.2vy6c.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1vznn74.r087.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-iw96ar.8kdi.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-bk9jjm.h3e3j.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1i0y0dv.mbqn.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-zq2dqt.fm7l.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-d9hid3.sd5jv.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1vz2ip5.f9k3.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1dydd35.dz5d.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1na5ycr.p67x.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-170b0s.uhmsg.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-etso22.6fsu.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-5ardqd.ar45v.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-11tkyn1.b5tx.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-b5sqqv.v5tde.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1b3jml0.khb5.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1by94rf.ofofg.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-h1m7v5.fvjan.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-7761r8.tshda.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-mp1kg7.0y0mj.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1dw2jws.itzd.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-14d4l43.ot5q.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1xbbms0.oegih.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-q04m5p.jnhe.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-oewfr3.wxwk.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-81wh38.9vla6.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1ykk1js.ch8f.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1mw7bfn.csff.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-h8itrx.rnye8.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1gby5f9.82z2.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1h2xguo.q2p6j.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-86vtv2.2h7b7.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1sobz4o.n54b.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ck34j8.qqt9s.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-km90kd.62bo.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1bbxv2c.vo0v.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-m5qzpu.mjpt.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1o5d0aj.o3lb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-uq4a2c.ateh.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-1qo73cg.acmy.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2180-5epikw.3glzr.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-18k3ejk.wonn.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-itcow6.1yz0k.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2180-ir4ite.lztxg.jpg" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | whoevenareyou.equi-hosting.fr | udp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | 119.176.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.40.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\a8177cf1-bba3-4e7d-9879-e555eb9e0c74.tmp.node
| MD5 | e4c111d47eb54b62dab8cb12540b9e39 |
| SHA1 | 09be3e7d9eec1853dc628c8c3b90e7b670921029 |
| SHA256 | a05338fe1e0eb08230717ad2f3587a5c1cb4bd10a673c40a3059f70ae0e7e6b1 |
| SHA512 | f9ec1e62c08425382b48320d2fb1a7fa412dea84825cc49b0297d5c6cfdcb80f32c54de28ac59e7a4c7557ae9900a8d3860fc7d23e486bcc28e603787d9f0f79 |
C:\Users\Admin\AppData\Local\Temp\89010ba3-9ef9-45ac-b6eb-c0a4e7c7d6c6.tmp.node
| MD5 | f1e751eb4dbfa4a1b5f4903315fc535a |
| SHA1 | 85e1166819678f839954c473d7eb363a99e24a96 |
| SHA256 | b8c24de2fa870ceb677f30da0eabdf20745d0a9ebed98f49c52d881383c75096 |
| SHA512 | 2349745a84bc2b2f9c2b96999d48e37242a6c3627d7898cd9a36e682e36ec12553713db7167b3a9cd20ec308ce11d84f09f06beb3e971823d8b4a959f457b182 |
memory/1640-12-0x00007FFB4FF40000-0x00007FFB4FF41000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\adc7e559-ee58-45f3-bdda-c35c203ab9a6.tmp.node
| MD5 | d4e6004197508892d18fc47645b25f62 |
| SHA1 | 1afceda2531e593c00de7ab994f928a150de5b4d |
| SHA256 | dc29d32decbd161ea4ff1e645d3fdf7a1ce3db0ee25e5485bc19fc775922b71c |
| SHA512 | 0be017eaba3764eb9f38e78248528a9e025958e713a8eb4a8f9b03d087267e107ceef8525a4ecfcbb684b077145fb0161e5dbe05f9fd95f8f94a140fe3ceb8a4 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt
| MD5 | dec2be4f1ec3592cea668aa279e7cc9b |
| SHA1 | 327cf8ab0c895e10674e00ea7f437784bb11d718 |
| SHA256 | 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc |
| SHA512 | 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt
| MD5 | 810ae82f863a5ffae14d3b3944252a4e |
| SHA1 | 5393e27113753191436b14f0cafa8acabcfe6b2a |
| SHA256 | 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c |
| SHA512 | 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat
| MD5 | da0f40d84d72ae3e9324ad9a040a2e58 |
| SHA1 | 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f |
| SHA256 | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| SHA512 | 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9 |
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest
| MD5 | 8951565428aa6644f1505edb592ab38f |
| SHA1 | 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2 |
| SHA256 | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| SHA512 | 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5 |
C:\Users\Admin\AppData\Local\Temp\RES7683.tmp
| MD5 | 58bd1199906d0ca84ae0dd185f523cc5 |
| SHA1 | e2c04400a5f4c43ea7c3a63a92f2065f339a1274 |
| SHA256 | 2be40bcbf45a46af12871e1dceb5f4b7ea1308c33e38396c47a837aa9fd2301a |
| SHA512 | e0dfd4840232d421881b36e29d74008240926a6c27de5f81bafb10a2cec06cb8454d5245011773d36ac32591a57daf7666e0c7ee212a45d043e1b91439b6bd6b |
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
| MD5 | a141f796835fcb383b621d4e2bb2528e |
| SHA1 | 4b75a9fc404a7a8517702ae99344087a5d8cc264 |
| SHA256 | 9b71150be3ec901b5c980d1ac7229b4cc67d9006d21456b18b188921e58a48cf |
| SHA512 | 2433e64be72dd8e42750e8aa93c125d69dba4432d452b83b01bfd6fcf9819f24f6f85533bb6524b21d162ee2fa4a2fc9ecbe87e95f3a565242012b3b550ecff2 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\CSC52DFAE9CEA9840E5972086D9DF27BFA.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
memory/5012-157-0x0000000000AC0000-0x0000000000ACA000-memory.dmp
memory/3164-177-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024312-2180-hbourr.rheb.jpg
| MD5 | c87e8e11efcf9b8fd2550f467802a3c7 |
| SHA1 | 0d41109d7d3529521884fbbb6455fb82272c1b9b |
| SHA256 | e4963d6ba460643d3a85693c6385ec6b873773e1021a5c170660abdbcebb9d85 |
| SHA512 | 260dc7b038def6c8988dd66c40c17035f3949e46c4d2542186789283c55ffbc31150c583cf976a1c6a6def52fda1f610acfc7f3ad0781f85b43ec5d8d7652d02 |
memory/6268-288-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5772-297-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5808-298-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6308-314-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6676-316-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6824-326-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/3808-328-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/1936-327-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6180-315-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/1368-313-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/1768-305-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/4640-296-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5336-289-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5444-281-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6308-280-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6300-273-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6796-270-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6268-263-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5336-259-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6796-251-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6528-239-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6600-234-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6356-223-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/4444-222-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/1816-221-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/4444-212-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5804-210-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5468-209-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/2316-202-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5804-201-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/3164-200-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5380-199-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6772-332-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5920-197-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5012-191-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/3836-190-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5812-189-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/5840-188-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\screenCapture_1.3.2.exe.log
| MD5 | f3ac7a0e31b9af1b495241eff29915ad |
| SHA1 | 286fe23eba741cd3fca3f3e9a919021946655392 |
| SHA256 | f134296c53650817d3b2bbd04fd77b8833b76e79a953a1d14f7a3484bab5f12a |
| SHA512 | b21d4e091140025f7ef2e96a3e3228c788ecffe43f4bcc5d1a15826686a392d9e0ad4ead4ed19b88c92fc9fd470014b15a79b9a82878d03005da3681b8dd9210 |
memory/5012-169-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/7212-341-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/7632-346-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/7580-359-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/7580-383-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6996-401-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/1652-416-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/2040-434-0x00007FFB31FD0000-0x00007FFB32A91000-memory.dmp
memory/6976-628-0x0000028927640000-0x0000028927641000-memory.dmp
memory/6976-625-0x0000028927640000-0x0000028927641000-memory.dmp
memory/6976-624-0x0000028927640000-0x0000028927641000-memory.dmp
memory/6976-619-0x0000028927640000-0x0000028927641000-memory.dmp
memory/6976-616-0x0000028927640000-0x0000028927641000-memory.dmp
memory/6976-610-0x0000028927640000-0x0000028927641000-memory.dmp
memory/6976-602-0x0000028927640000-0x0000028927641000-memory.dmp
memory/6976-595-0x0000028927640000-0x0000028927641000-memory.dmp
memory/6976-592-0x0000028927640000-0x0000028927641000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:32
Platform
win7-20240221-en
Max time kernel
140s
Max time network
223s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{24102BA1-F86C-11EE-8D0F-52C7B7C5B073} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10491dfd788cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f700000000020000000000106600000001000020000000e0c3ac9f076e355398babf1ac868005bbfb520fc2408a137e0bc9a3b3e2a8a8c000000000e80000000020000200000009b75ce44902181ad46fbf9bc0f9431ead3ca34d34edf3ae31ee137cfed94f4a120000000544553f2a910a764b86502dd1d375a3a567f6157241623b71378eba2318b4ca840000000c0841d42baa22df765ead37da36d3ad41e9b50bc76d72fcc68023344593d0a273591ae64b63bb1a45c8768f5567e1cd7dd3c8b684863442216d8e516e1c2ad04 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f70000000002000000000010660000000100002000000041524fc66d0903b6111cdeafd4c6995291a2ec0b70dc21f115a3c55d3fba74a8000000000e80000000020000200000008cd726fdc7c52a6a05139156f6931cfc5a629ca6176589a7a08893ddd2298fd090000000b39b7d700ed2ac84297f89cb833db1d63dc9bb2b94b3bf7936a102d5f0af18c2d89bb28acb02d1e18e8ec21cf2ecdc51931f27e4980f0f2fda7c7398b5c98e88e1212797e02ac877e6f0e83fcbd9945c55457778568dfe6f9d94e7f22493568bc30cdb399834736bef51e7a690f64d7568e453ee0ff3cefda67f4220189933215f2b0f3b51fc68cbf9b3261d578669c540000000b36b7f78b1e8cbbbe0e0babe0f0ae20c571edc6671c25faeaea4deb662662c61a2b99e7101af42ba446811f3f23367f29c3a814e2c2c404168f9e263a026b56d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419047256" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1184 wrote to memory of 2688 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1184 wrote to memory of 2688 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1184 wrote to memory of 2688 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1184 wrote to memory of 2688 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabDEED.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarE606.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c9ed2f230fcde01da6797f3246276f4 |
| SHA1 | 61f1100388bae8371237ebf422207afcd4e06d6e |
| SHA256 | 0912a7412d53306af0696a46c5cfd2eebf785c18c2ac9b260694bb1208c6d45d |
| SHA512 | d88d03293febcd42f1ac8f85d1dbc9c368da0c74c0269add155bb24b25980ef5ec71e05ea43cf489a7ed7c465cd5995a1aae15cd6f6da92aa88b5653aa894a38 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3e3eac4176e284bdc2dfd4ada675431 |
| SHA1 | dad7f7ebab43f6ac63eeef7e09ae0c5a67d7b8d5 |
| SHA256 | 5b1abfd3fcaf1cbcdfbb3abe555b3a9f775573859689ce077182182914605dca |
| SHA512 | 4e2619883721413ef93d46af9f8804b6676a1318370336221ab3b09818a93f80249f5741a0bfd2b2bf335e61773e97d30437dc0f1b5b638610a3a71c1b6070d7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1769826e9b2324e4ac772d76646b1420 |
| SHA1 | e79cd92fc76f5da330511396f57ed52d4e8576c7 |
| SHA256 | de5c3862f6a560ccd3adb517aa763c1c8c7bb96873de9864dee3da9efde8f3ca |
| SHA512 | 836f1a13f46b35425f293fef3122817dfd30f369cd73a3e443944c4f9a5b7e87763626d529dad261868dd2b65d2b6a03d90dc99c478c39fcc691a91f662b7d7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5512efdb630545241465bae494b913a |
| SHA1 | d6563859267081c1e24a78843a09c5876903ff4a |
| SHA256 | 1b2b3083ffdfc2d8b398c396f253fa98fd8d095d1d8acd62f9144947169ea0c2 |
| SHA512 | e12e06751893338856e652a932b6d3f570d1b19e21d8818d22753227bdf16ba41664fbedb10a411fceb1795e971d08d1a2dd44d471fa97bf98d254a43349c0b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 355cb9a40e7e5793c53d3149107a8c1f |
| SHA1 | c21ea048906944b5dba54ddff5cf42bfc46d0bbf |
| SHA256 | c69e3f6c4336dd9d0dadece2be8db0ec5c881303a6ba2197fd32c0f283e0400a |
| SHA512 | ffa984921efec1b51b217df7316b97cd55fa830f10cf081f8d806ffac62022e8aec4f1747a198faa441c1d801a9edd5d0f94ec5bfa0b9b4bf737575a71c469c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d47531e0ee8f7b3f619b067c31defda5 |
| SHA1 | b84df75785b5e16577b873e7cdd42b8cf82bcb1b |
| SHA256 | 1a9f7bd184d882bdaf9fb793d2a41cab616d543383e127242c92608baca3b72f |
| SHA512 | ae860009802d2a2a5f0640c2e1bb1513a9a685b40ada9ec7f6a4ac6adb78d8b4f562e496b328b260dac71b6722167e91c07912c731498b4f1e0b07040cf77274 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5253e6e34900a6d294ba492843485de |
| SHA1 | 6e5bbf0ccd2adcede189683d999ab2ce7af68f90 |
| SHA256 | d72a42c3688cf6feef39a1e3a7c845a2e75356616f6296e96991289a887d3f85 |
| SHA512 | 9868d25d5d89dc3eb89f8fa1c325d56919ee8bdf63801011f41081fc6996f7c8465bef3daeb272f618971723a2d97f57d2ad64ebf5257f599a28dc2aaf97d959 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb601f0328117c2b37cf55bdd3e5a751 |
| SHA1 | 23ab5ad9ab9e384e8597e76cfaad0a1afdf2e8ac |
| SHA256 | 6143f2169cdc5e98eea838d95f58d3b92261e67727e49c22389ea5408cb2d66d |
| SHA512 | c6df401b63f7fda93035e9b5e6158210c4f406e00e774dacf6a69a4e7c1ce043eb47347817aa4d0be634ced8446fe39a6b5300089c4ef4b273833de8c6fd3d72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c98437b182b82178d44f654653dce28e |
| SHA1 | b6d2c27a1b4a557c3cb1795e83bc20931e2b0c8b |
| SHA256 | 7b73bc1d4a93aabb3b3e3c317ddea60cb221ac86f379cc3dbfd70a4b944c41f9 |
| SHA512 | cce29d8daf36394c34fdad90c7f5f38fb39bc96abc46ad4d674e2af59301562c19437b17a59b4b32bd5e01a79b1784ee8a0a3505957e3d485d84ac0e826bb0b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78adc147585c8ef75c1eada5e777ad6d |
| SHA1 | 8049ecf930f395681ce4bdda03ab9bd11e08dc5b |
| SHA256 | 9f236538a26c261be379706a35ef2317da0acea14fd25fd3a2c30bf83dbb8b57 |
| SHA512 | 927c3eb19141a0b1a63d95d2977f401b38196581c060e7b48967b5d79c3daec2ea1b5c650c723e2a42c19739db95ac585d741bd00557b7a4b4861fe8850c511a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d541f39cbcd6dd4a8087de44496eb0a |
| SHA1 | 605f1fb051931a0611069888e963095e89d20e48 |
| SHA256 | fa40c43c1ccabb41787dfb3cb2f7ed5e7eeed18d3c522b09577affb4ab329856 |
| SHA512 | e13a977cda31580dc6067413c4ea323e1ecf77e9fa857712b20066ec9b5999008d465137a73e3e927abc1bc474062bbdf96801d42551a07a5bda1cc125c1acab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e44944c830830c46253a14c9a2d175e1 |
| SHA1 | b064af46b63b78b9ec3b084d1dea8f5b09ff753c |
| SHA256 | 9b8c7568433da5bb82e4f2e252be09dbfa9c1ba902d83e43d3c2feb16066f2d7 |
| SHA512 | d26aa6d97d7a185857047ddf8a5d91bc5d63a5b860694712791e2f5c498ab867d2826805490f1252cd62f7d3529a954081975d553d3f04d77aa9d07c32fc6d23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc0afe96f59343b104906902006bc5a1 |
| SHA1 | d7c38f928c90e10eb4fd7695f6feb7b31bddbb6b |
| SHA256 | 1570dc5d08e4bbcc3ad4d6d154e0fbb9d6e14da9b2a1dbee12c683d042e0fdcb |
| SHA512 | b2e8042a54b54aeba72c1ea501dc63ee8b00fb4013815730eae86a91246e8c099bccb7d58da6942c5fe8e4dac4d08a77c1ad8bfd4fe3da704485d7b2e0465001 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f4aada81afd31c82c1674b607c7487f1 |
| SHA1 | 60570596960b749f37f9f43aa82ef18828d036fe |
| SHA256 | eb003b07f4caa57f9b587291ecff12afc32f3593ae2c6377721ec19972530c15 |
| SHA512 | 156c4caf698e0eebb1bb9531222b3d58cc5ef9a41b2285e0e0827cf03af758c1f30ac6905bafcf8e324f13a861b917ca9e93cc22a4f513d85ffb432bdd4f59db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da1f0bf706736027d739a44883621da7 |
| SHA1 | 39970a9bb81c13ba4676522492c6d113d8e3dede |
| SHA256 | 375b58bdccfd760736854964ffc38125069c995c96eeefb8ccc31a55c04071f7 |
| SHA512 | e8f700e6e1b92abe1f008ee663e3d95f70953bfd260153f17e68681286491d6b9b80cc17a3b41bb25e54ac86308adcb2ce71d759e99027819739bdff2eefb84c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d723b3206295c6fdbf653e10f1950c0 |
| SHA1 | 3a937333c40468c8499f1f6042077623d5886654 |
| SHA256 | 1a8ac05ebd7769bba085e4135a7974f12d567e7e087817fc89c3ad3e1a8d8afe |
| SHA512 | e79d333967e841bc1769ff9c042fec4256352d06798c2675b27e7e3dd35805c4ba2730542b18882fc58b139c5b4d9fc4b52745371c7cc416b4719ffdf0ac6c40 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01818f497ae37bd662b7ffc5b25c2e75 |
| SHA1 | 979afb1d88162d78414ae7d555bd0170b966b2af |
| SHA256 | c7838b35fcfa704f4da008aa6f7cb3d628b2736ad3ce990aefbfab93a56461df |
| SHA512 | 07a7ce18856a1ea16fafe864fe1807916a48eb0815843eff1ad8d9c06ef72b992dc14cd5390461305d23fc95f1d3167b3dcf256e75097be53b36a82c20c6e511 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a42500a4e49f531160b879d50426dbf8 |
| SHA1 | 6a932dec5d6d584390f3ae82e44c6fa6455e2c7a |
| SHA256 | 95c114ae673992685beeb86dc505dd35e0d73dee07a5837e492395343cf0b98b |
| SHA512 | 19fea5a4d089bc0206381c2266dcf4d53daae4ee0addaf95ed45d2c78ca35a563240a80e529704d349e960c7639eb011745998442effae885929a3b76f702fa2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b41b7712fc530d3f8ec5d91b0a11460c |
| SHA1 | 3c606eb10f0f6837876b2cbb5de1c5731b6afd5a |
| SHA256 | d63a7e8281200bdfd288842f923a13b07ca984d324f4d457a01f2b1158b52ce8 |
| SHA512 | 75291c0fe6ca2384f4a16a51589d998afab69a0207cb8a329703baf4ccc70717e2e9556163ed17582b81b273f7fa1b82524399bd70903f3773fe7fa9ecf27ae6 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
174s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba40546f8,0x7ffba4054708,0x7ffba4054718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,235592116185368161,8152664879626248442,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5324 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a774512b00820b61a51258335097b2c9 |
| SHA1 | 38c28d1ea3907a1af6c0443255ab610dd9285095 |
| SHA256 | 01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4 |
| SHA512 | ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1 |
\??\pipe\LOCAL\crashpad_4516_LORULQDKTJLSFVAW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fd7944a4ff1be37517983ffaf5700b11 |
| SHA1 | c4287796d78e00969af85b7e16a2d04230961240 |
| SHA256 | b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74 |
| SHA512 | 28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7e89e42e836643fae33d187d31d5c8fe |
| SHA1 | 7a7f58e2bee821163b46c0bf6613bce4bfa38b7f |
| SHA256 | 5e367dc01e805ac79153c5650118349d375529008e31ad5eef5c387ecabf3ee1 |
| SHA512 | a4b45a408ef80024a4e86e373e9f1b9020bb8707ee912dc405e55396cd7ad358d53f0f53f96556ff41ac7516d532f1b5824a9f3e5f7eaa9517c053a5ca23fbce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6194465eaf660de79ca7a688cac6900b |
| SHA1 | 6628ead0f8ce9fe38976e11713fd37f06dc4a616 |
| SHA256 | 733d13e0e551315c21dfa1c99d03ad27cedaa82bca1fafc28825992128814922 |
| SHA512 | 4699a86ebd5ef18b6998ee85b5d29bd80272bd5e6681704b79ca0c92015d4061fdb0599c7043cec1db1ec577b1ef8fdf807a12aa4310c92475f82bc79101c72e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | baafc73aa00bb6558a6106713866d2d4 |
| SHA1 | 2f313718b763003101c946e4b2455d1955004c66 |
| SHA256 | 257eb39cf7193164808da4b6064a4b8652f8a2506ea5dc64bcb295992308db0f |
| SHA512 | a6f317fc460a11248a07f51eff33fbcf3b61584495fe4712c491151637954f06aac3b0fba8f51950b47e7e7e8937b023562bc4f3e5f053e74d999b11ba6d4c1e |
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win7-20240221-en
Max time kernel
121s
Max time network
134s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
166s
Command Line
Signatures
Detects executables containing possible sandbox analysis VM usernames
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing combination of virtualization drivers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Wine | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c1a052b4f6fbbe3c6437b3af2a3f93f2218b3c175073e7daeb6361f999a94c5.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c1a052b4f6fbbe3c6437b3af2a3f93f2218b3c175073e7daeb6361f999a94c5.exe
"C:\Users\Admin\AppData\Local\Temp\9c1a052b4f6fbbe3c6437b3af2a3f93f2218b3c175073e7daeb6361f999a94c5.exe"
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=gpu-process --field-trial-handle=1584,1818666746981407010,17787204521361545506,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,1818666746981407010,17787204521361545506,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --mojo-platform-channel-handle=1972 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --app-path="C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1584,1818666746981407010,17787204521361545506,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2456 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM msedge.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
C:\Windows\system32\cmd.exe
cmd /c chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1584,1818666746981407010,17787204521361545506,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --mojo-platform-channel-handle=3520 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x2ec
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-14xc6jx.p74b.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-3e8dza.n4r3o.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-kfgj3h.8f9c.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-tj49y8.wcg7q.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1sn7maf.eqft.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1xrkgs4.so4m.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-sqf2zt.1699s.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-uiylly.yhpxg.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1ix19sw.sz94.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1cyfhpg.5g4l.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-ctibaw.defq.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-9xwrur.uufb5.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5318.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCCD8412445D094E4090DA69C4ACC4AFF2.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55E6.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC235926CEAF514179997552E9552DAEFB.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-kyg1c7.5m16j.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-9axub1.6kihq.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1wnx6cb.armg.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-ls6qml.806bn.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65F4.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9E055BC61A394287BCC89C7F4A3EC8B.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-dpcdn5.nogqv.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-ocuyar.8766.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-4796-kfgj3h.8f9c.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1g0a4dj.dsem.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-12t1nmo.bvg2f.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1b8vc3i.8e8g.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-15ciufj.eh7z.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-zmm86x.iq41.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-13jgi5a.9fulk.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-vxeol8.ys8l.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-q9332f.40fdi.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-5dhsr.1rhiee.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-18cwx8l.xrsx.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1cyfhpg.5g4l.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1n7sw75.er3u.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1kv46hv.obft.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-4796-ctibaw.defq.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1u1va8c.0lrv.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1bkikcw.j8vlm.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1w452xg.jdncl.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1jteh.dtt59g.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-mqme8.7h2m4.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1g6u8we.x2d9l.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-4796-14txxcu.gap1.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-4796-1wnx6cb.armg.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-4796-9axub1.6kihq.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-4796-h71cvr.84836.jpg" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 104.21.40.54:443 | panelweb.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | panelweb.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | whoevenareyou.equi-hosting.fr | udp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | 54.40.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.176.67.172.in-addr.arpa | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\chrome_100_percent.pak
| MD5 | 4f7cf265db503b21845d2df4dc903022 |
| SHA1 | 970b35882db6670c81bd745bdeed11f011c609da |
| SHA256 | c48e6d360aee16159d4be43f9144f77d3275a87b3f77eae548e357601c55fc16 |
| SHA512 | 5645d2c226697c7ac69ce73e9124630696516fc18286a5579823588f93a936da71084a3850f1f9a7b34c624f4c502957107f5957ffba5e6c1e4da6d8da7d3348 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\chrome_200_percent.pak
| MD5 | 6a7a9dee6b4d47317b4478dba3b2076c |
| SHA1 | e9167673a3d25ad37e2d83e04af92bfda48f0c86 |
| SHA256 | b820d19a7a8ce9d12a26837f967f983e45b07550b49e7b9a25e57b417c5f6fd9 |
| SHA512 | 67466e21a13ca449b014b511fb49bfc51df841eb5776f93b4bda2e0023da96d368ac5c65de051ed9de1899275b9f33839af2c387be903688cdb48bf08993791e |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 7641e39b7da4077084d2afe7c31032e0 |
| SHA1 | 2256644f69435ff2fee76deb04d918083960d1eb |
| SHA256 | 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47 |
| SHA512 | 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\ffmpeg.dll
| MD5 | 7977f3720aa86e0ec2ad2de44ad42004 |
| SHA1 | 04a4ef5ccd72aa5d050cc606a7597a3b388c6400 |
| SHA256 | 61c6bd5fee2c150265241a15379c4053b174b1cd7687749629afcdbd1264a02e |
| SHA512 | 8ef3b8f506b5ad7241b96d381a501033266358fb3756a457c46ed499547db1232012f849838e65f916129fab1a0d74711e9851b8e0669831acbbf4c3494e492d |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\icudtl.dat
| MD5 | 2e7d2f6c3eed51f5eca878a466a1ab4e |
| SHA1 | 759bd98d218d7e392819107fab2a8fd1cfc63ddf |
| SHA256 | b62b7240837172959299dc3be44fffa83dc374353154eca1612e1bde330aa8fa |
| SHA512 | 0f1465e8efe32b0eaba628a30bbb21254a05d80f4407a1434120a55fb928cf575b3879e1b7cf754cd19b23c262ae715fa84a8049073563cb38f1855be7db1124 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\Ghostbane.exe
| MD5 | 21dcf914458e92f92928d52bd89470bf |
| SHA1 | cfe743e325859af219cc91b3e375b9afed58a6a9 |
| SHA256 | c68227296b243230fa9cb2fc7a1d3eed54de34db04bf0a8fb6b7c04c77bf44c5 |
| SHA512 | c8ccfd2cbc84b227c89e95988c51ddec76d99dd7cb06460c01c999bbe65018cd51422d9a03efa327d7e31723e0745658e47da54950959ef4e4d8d8cc9e22272c |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\libEGL.dll
| MD5 | 7b77074945dfe5cf0b1c5a3748058d57 |
| SHA1 | fdea507ac2be491b8ad24ddc1030ea9980c94c0d |
| SHA256 | 994972c1bc515c199552d50e97ad217ae15a3eed16db06181c7df50e743e8a56 |
| SHA512 | d637b2c7d75723601af099317a39820d3edbd3cea1e1cb20b702deb6ca7fdb0b67e1351cc8fee1c7badff957fffb848a8dce18bb25bfd60c81a588da4f68c1fd |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\LICENSES.chromium.html
| MD5 | 4247afa6679602da138e41886bcf27da |
| SHA1 | 3bb8c83dc9d5592119675e67595b294211ddbf6e |
| SHA256 | bf59a74b4404aa0c893ca8bbe636498629b6a3acdff4acb84de692462fd626e4 |
| SHA512 | ad3103f7fd32f0ec652bc7fcb8c303796367292a366037acad8e1312775cdd92c2f36ed8c34a809251ad044508e1e7579b79847de61025baf8bda5ad578a0330 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\libGLESv2.dll
| MD5 | 8c93e19281992a00993fc0f09e272917 |
| SHA1 | 3a2d12bc85f829775ec8c5c1f8e35a783d37b7a7 |
| SHA256 | 1ebc1da8d7e463a5d3dc127a632989ef35cfbd94cb18bf1f8ee790f172d43703 |
| SHA512 | c4ec65378d83e6645c9128825853de2d3e82c0f430cd28fdc761eaf2d011267c3794b7c1dcef017750323873d7fe976656eebf9ed7c03582741d43738f3e0c7c |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\v8_context_snapshot.bin
| MD5 | a718c9b6e5e6563e23e450a0d01b932a |
| SHA1 | 95ccb1228f024f037259e759dbac464f3c27b8cf |
| SHA256 | 315f5ed966a1f3a89c94d1b78b9bf70e59a2869601cf6551b2c1fd3e3b008447 |
| SHA512 | b04512e95ab3997bc7d5c65e2f526e124bf1895b139eb2b6c6c7b4a4aa381cd408eb2bba01f44b09b1936d24752baae288f24a32ed84687d3e7e0681b5387d01 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\vk_swiftshader.dll
| MD5 | 77f7b4f46cb3e06b53729fd1e562dfef |
| SHA1 | 223c09805220ff2b5c1dcbdd5c0396231ea34f11 |
| SHA256 | a648cd4671b12b469c4d2de20c2ba2429c9388c0f9d4b3d9d2244853d0e5acb5 |
| SHA512 | 6be9afda9320074c5842419cf8493d715ca65a3362d368d3a35e35a47d36f8197b0f19877485b41a06e21148613a77bb6275b0586c4a38da8a25efe6b5a6b571 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\snapshot_blob.bin
| MD5 | c497639990ef3d4435fd721e8e855c9a |
| SHA1 | 85e7df364daab70730c756b8e24e81965d5a2255 |
| SHA256 | 5e15a82831965e521bee172e6878806bba51d410d1fdf1b4eb01385d1954502b |
| SHA512 | 63f2514d585dd7d3b988f0aaeed8106a06b67629eb54f2152e8b4a24276d9f56fc4650c8770d0ab44b4c57ca458856a0cce5f26f6226a56a807b38ce5615ead3 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\vulkan-1.dll
| MD5 | 25afbdf6701013c57b19b92225920915 |
| SHA1 | 009300dd4ab3b81794388ce7d126ae90ff97535f |
| SHA256 | 22bb65dd206ce7ee10c05557933a04a04144e1a8228d2a9d1e9d704b0b1b2f7c |
| SHA512 | 575e38b60948cb704c355ba9cf3457f2693c30f95e85f10f795e759652bf4317e18ba480bee8aafcea9108415e8e58f674b22c7513a9fabee765142486919a0e |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\resources.pak
| MD5 | 99c5bf0dcd43f961aa3e177f7dc42d42 |
| SHA1 | 5618abd2e7b45c50400bb4aa0c455bb0b28bc472 |
| SHA256 | 75ff04d991c2a203105525a1ccb200a461717ce7b86ada4be092fe903d95cdc8 |
| SHA512 | 2e508c46eb266301f42ee6a7d63494f3856b422df61d0b605096bf4fc4943239d3fba15161adf8cb1cdcfd3bea8608102a0abce636999cc2a9e01bda51cc77ae |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\am.pak
| MD5 | ebe0e7e0c78fac281a3f0196da22cee9 |
| SHA1 | 689864d898905d43b8a70bdf37c5b339daaf48eb |
| SHA256 | 08d86a45ff0a4b21e74b06509c376ab0f907cae72a3e0cbf5c17fc275d10ac5d |
| SHA512 | 89b6603e5db8ad53ee5623c2c0f7e81194278dbdf5ed49c7480049006b20744fd4642743c2b4a264cafa87e7f787d6d6cbf26f12ff2b851333b3ba7541ebd933 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\bg.pak
| MD5 | 5ed6adc6158f554e71bdac7dc9731b16 |
| SHA1 | 394c8396c566d2b92cef881c332624be812115fa |
| SHA256 | 0a3e79a6d270d212037ccb5a8730b7abfc45c6e9175dd7e17d997daed0985726 |
| SHA512 | 796f107698e82dfad9ec8d2ac1fc3f79b1f3a339a06eccd783dcd262ddb7399f8e3c093799f16640cf7a4488f1d2eb04ba6b7cb14ac9e9fcf87488cb8305b35d |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ar.pak
| MD5 | 3a8a7a08fedb148ebee6d3300356e37a |
| SHA1 | 2e9ac1ea8b6396b909f823486538d5640ddcaa1a |
| SHA256 | 43636fc76a2da6ab562c4c3bcc1a5d548a169dc0e884484fb7e4341814c44c78 |
| SHA512 | 7951829cc7aa385bb5f8078a7af7d4f0b49fa8c05eecb2808eac3fb0e8700c63f92db888ad64f526d992a14d54948a6807bf06f9fb688aecea40311eaacea181 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\bn.pak
| MD5 | ee25e9cf28fdd35846d8a9b3c4220eed |
| SHA1 | 702342cc207ced1bb585195abcf263cbc4ea0069 |
| SHA256 | 9994b9832bce803bee8c48a8176653099df7768074e3c54d09a18593376466b9 |
| SHA512 | 2b703cd07bacc9f70e36844f148c980cb112a806b4ca11f692b9bbe6995fd5636eb9bdc84c5cfaf79790dbbb1ecf7cf2b61a7d6ff89311eb4907c586e20b7dbd |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ca.pak
| MD5 | 53e3fb38f84f60b98d23b337e4f03f92 |
| SHA1 | 42e435837dd36872d2a413518a299cd293ff8536 |
| SHA256 | b00bd41c1222b3ea078df5b92cec1946e41430be241d0d57dc9baa4c70c91f3a |
| SHA512 | 98d0328e7370b1fec9e15ad0cff9e1353686fc581e3df9a8896e3c2e62ced044c4c51ea63f35ec8b7eb3e7df5c83ef5157468979b7f20e85480597042c1ac192 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\da.pak
| MD5 | 22134b12d90fdc00f23a1e0a6fb04eec |
| SHA1 | 17c9fc2cacb6e5ccc393d1af9bdf3e8e63ecdaaa |
| SHA256 | 62020dd01b47b696e2e11d7f5598628c07782a96ea6bc013dc2ffe8c820b7c94 |
| SHA512 | 9cce6ffb2d84cedcc5ccf200080d6a2cab691468c042e8e48a5fdd809b5c0d067c322326e49d18f66da8e0b1d28adeda4cd03e12d7aa11350b72776737aa3427 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\cs.pak
| MD5 | f125738776a9fb8dbf25311fa3dadbcf |
| SHA1 | 3448b58d4810e69f5c1eca4e1484308c3ceff502 |
| SHA256 | 5d5089718677f9a4e677dec72058c376a5829921cd523ecb919d0da7766d3cd4 |
| SHA512 | ca5300e5fb73ed4ee8c108e875c66ce7f105693f3ba78cb00f33218febfdb3ea27fe26f118dff3fb2e4af66f722f8348760cb576aba48887be25fdfae4991776 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\de.pak
| MD5 | fceb00caf7e76e688007665feae99e83 |
| SHA1 | 06fece84cf7028b3871f144258b8d084faf8745b |
| SHA256 | 80e63ef1950b8438813271365a7b6a3f3aba0bacc179f5675654249f31c06a3c |
| SHA512 | 08c14eb299a035949e6b64a069cadee66c420b7d66bb00d65d6a1a08fbee08a57ab08f8e77c44387f0fe02b47aeb0bf2709a1979025613cb51af4ab82fc3b6d5 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\en-US.pak
| MD5 | 0dcd84e9e50a3e0819d5875ea889ced4 |
| SHA1 | 7c47f6e4e0cafec3a13c07d689d1dd6ff6516b1e |
| SHA256 | 699b6d7f05a484e76d3e1197a656247863e570f03cc02634c9dc42078a5c5007 |
| SHA512 | 153fc15f676d78d5d0f3a6862fc7eaa60c2a659c25ce87485f0253c321d9407a9b799b959104c27a8e7b5487f0de926ae8f375e2c3d313329112e48f2d001a17 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\en-GB.pak
| MD5 | 074d3dd44706502de7c33e791794b23a |
| SHA1 | 564a73ffad9232052c692eb94f560d6b17227c47 |
| SHA256 | 9c3954a5ca2cf126370a1152e9281f41a7ca97c69293f556a2c79ea6729324ae |
| SHA512 | 6e1296d04b16534274fa438643ecee6e37d17ed935623f73d5a8f3510a194e0efda9ca60fac8d51d25763c4818050e23c306f9ee18284b8600610d14f7768d98 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\el.pak
| MD5 | db449f218a705453eb10b5f418e28d7b |
| SHA1 | 7bc8fcc59c532bb086a7f081cd8d275a89dac835 |
| SHA256 | 73da35d01b91707846775bea7dc0331fc1caebd5c63d101aa8bb8bb58ca7f193 |
| SHA512 | 7dce45bc723d62498b335be0ab72dfc91c44c01f96f25c2314e9245a0eab28a92dcaa730b11f108b604545592445ed1612721416f60ae3bf55b1bd438bd04f78 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\es-419.pak
| MD5 | cadd9ec43e823609c4bbdc418da6009a |
| SHA1 | 91bdd44d5972a4763227ee7c127fe122aefe195f |
| SHA256 | 6c8d074047d57a79cf5cadf9caa6e9a64bce0895743a3dd89ed1350cc91c1e4c |
| SHA512 | 2b9eae4072e46024e33f000b1df1a64246f70498a557f4a03234d3dd47aadb04883b98ebf48eec21f0d6ca4c8a62065f675fdb352be680a56644ea3ae1db93a5 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\es.pak
| MD5 | 39288ea031009bb9db582cbd93c7d534 |
| SHA1 | 467f76d33e39526a4d8cb6068eaf8e2791b3a9ee |
| SHA256 | 6cd39669df96b4b5b9047f7689338d3beb9ad7f8be2fddc595ef1ecbc47481c2 |
| SHA512 | 4a635e969cf2b09aab5f8723a3380c5e226bf0546019506d18de65c1e4a599d268b9ee2e03a65b245075f899a09697b7b535f1055c19344a411100c8f29d93b2 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\et.pak
| MD5 | fcdea2954549e5d8f1e7a5de36ae4f74 |
| SHA1 | 41dcdcefbbab3e0e908d98ec9b6bac7eacecbb99 |
| SHA256 | d875bca2e8800657306727902f4f5fceec7415ea530bfa780ece0f016f792569 |
| SHA512 | 37ea008078083a36b07b1f5d0ca6e16f62b06a19266d8042efc796bf33c53200f37d3a37f5b48d024dbfab9e6689ec9c3f22d6e37e3898fa7deb61ace1fb2df3 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\hi.pak
| MD5 | 34bcb12c154075510d9d3066ad4a8d1f |
| SHA1 | 6a3c062221db4f391f8505892f584647b05a410a |
| SHA256 | 83c6c411d75ec5c5de6984b21fdecb07c9b926c66b67c5c99380605f6fdd8928 |
| SHA512 | aba38e4a8039bbdc46b510a8370c82d3b199b4a02da7751c162c941e6d893a9cdfc0ce92db4144ecc2b2644d58b0bc6cc7cceb0533c62c131cc55be0258c3a7f |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\it.pak
| MD5 | a2b9cce245e754258ea187ceb3aa2670 |
| SHA1 | 50f84fbcabea10385714a3c3a2483247ac040c02 |
| SHA256 | b72f89e5d2cacbd2db7ce28ceae35faab8c4199ec993fea64e8c78df882032d0 |
| SHA512 | 5e9cca2605d4a86d4f2b39845c8396c37f88b6f1d08c8f0e2b6f0896d60754331a588d0c0fc59e9ad8fccf0d50100a2307fff2d9df784f91537b1d9e108727ad |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\kn.pak
| MD5 | 90107e2353e707a6d071c9aabb5adefa |
| SHA1 | e4dfe445ca7830b3a56af38af1d73e3cb94abc73 |
| SHA256 | 9155b06ccaefbea6461f5c51e25ce25d85ca7bd557e76dae00a4d6a09a4bc424 |
| SHA512 | dead3b94638afbf4ef27e1cb5283ad2d0af73ab8996e7d2e8202ad174796121799992f577c974fc0ec53fe2b8f6fb4d37c3bef70b72c29b5b721377a0cf3b093 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\nl.pak
| MD5 | a17bff141aec095625d0420c7a609b08 |
| SHA1 | edf3746b20ff9e3bdbf09b195e7781da1f799a91 |
| SHA256 | 7482c28c2a42a94615118b6b8cc7d002415923ca104ef86a95a4ad05c8db36b9 |
| SHA512 | 903c50c39160e40920bdcce0dc337e83b03bba00481f82ebc8ac1cf6927ebfaa75b1f9791038a71632c5e79bf7331bbf7468cc626e303929801c08f54d092c8b |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\sl.pak
| MD5 | cfb094955a5a8f655ce8a598d5a89706 |
| SHA1 | 181ace68b0c3be132ab73302ba7f7c8750f9adae |
| SHA256 | 15489195e92cf11354a9a02895aad2ba8f17aecb676dd77942054a4f3f0fd623 |
| SHA512 | a31e131663072c1192a4146321db5f0f457d27e14afc8ae40a92a4f255df4cd5302774534fed5247e145c73739a709dd5852af35750f35ecbab0fd4c1a612e2f |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\zh-TW.pak
| MD5 | 03ade5ba27cd3ae9bab6ab3a5cb721c2 |
| SHA1 | a747311a5f6c2e0e535efd52bc96f3c4d12d5c3f |
| SHA256 | 0c4abf7a66026068cd4f458d504cb04f3e04cf9fae45419ddc2d592f24899a2a |
| SHA512 | 33e122328773039595248a85dc0940841a1e273957ec9a4e175871b3ada48008b608ca6569b495275abb8e2a8844ee0c4d90b48af915a3f5a6aa44f3c37e51f3 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\zh-CN.pak
| MD5 | 20b6d54de42cf9c56f0a85fdc27d82e8 |
| SHA1 | cecb82b4afe8544876f443fcf578453358ab59a8 |
| SHA256 | 4140caf95939f116993ecd8bc5f7681991f96735d2397c9c7b4c66e3013eed24 |
| SHA512 | 646af407dfb85863f4555961f37f706c18b5c1e68b3111eda9f9b531ba2bb60cf67211ad634037b872156f0ddd04d50d68c49173a27a78ce59f75cbc2bb6c3bf |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\vi.pak
| MD5 | 98cb45f0555aee1985710196db17d72e |
| SHA1 | 1362238c253bc2a0e50c8dde6c95deb027fd6348 |
| SHA256 | 39a130557fea33a9c899f347fa3ed455e58bd51acc0b3b4586f76694b0f34646 |
| SHA512 | 93125310ade0c7029f0406aab291c35d2b7d1941f85bfd3d6071f85ff347c46e793a5ef164c08ebfcba252269a4aa84bf7a3b8779a36ee2f3da303411becc27d |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\uk.pak
| MD5 | 33f02db055c3f91148feee375acabfb7 |
| SHA1 | ca1dc284f41bc55cf35f94a4039008df9970d411 |
| SHA256 | 1968e9ed7722089330e7a8ae2c08f241aa106ed2be8948461439e6a92c330688 |
| SHA512 | ad16973e4103ced979276c6de175eb600241491ec9c441168e6375f68f8867d3f0eba422dd0ef6404208564015119f1e5e2500d5cf4ff2d8da45d713ed8c251d |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\tr.pak
| MD5 | 4e7c047364c7c4809242741b98b28092 |
| SHA1 | 4ff1b303476cb75d8190568c346e8cc2e452da14 |
| SHA256 | 6a25be43b786ab853f8081c53012be623543830cce5ccd246ec040d98f22b852 |
| SHA512 | 4624cec04114c15a72a804fa4966fe61303effe97039337273ed0dc99e8a6a685ca5cf5fa901a84c8b219d443f1a89e6e7cbe09eb21e7ecff662301067a6cefb |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\th.pak
| MD5 | 96212a5191b7062d1620388acf1d09cd |
| SHA1 | d3616b6c4649dcfa347df0473e64219ccd63e63a |
| SHA256 | fa5f97bf433df481a6257fa39ef8dcc7961c5d5a83008b02c9773836d7bfc96c |
| SHA512 | 5192c36317c3a50696796c7286f77b1a02b7a0f83abb16ff7d47ec94281b85ee2fb29b9ddff7c4ad8b28a2a757772bd2bc726b10c19658ab672966679d391508 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\te.pak
| MD5 | 93edec428bdaa1f84f5c9478f440997a |
| SHA1 | e03f6bd50b0e0d888f9dfbdc87c98ff567e6a91a |
| SHA256 | a499f50e452ca02ea476fab8954e7ff58d2ee0c6263b8a4657b6ebddeecd2520 |
| SHA512 | ae34e29f1e8d23dacca66036e355b12ebb1117ec6e5e99413c792a0dc8b772eb63578b2406730b014fb4ffe32b05dfd9fab8adcf38ab3f5b9bfd0cf054ed09f7 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ta.pak
| MD5 | 8a1a245b43af1f174f262d8f53014d59 |
| SHA1 | 655045f5c71aa2589851a66d5387d4125bbce1ec |
| SHA256 | 85d8ef6fb5fdbd1d689aa6cdbbb768376b08b03ff39f7528a3804a3b4bd82af1 |
| SHA512 | d71b73fd2b5658acf5825f142130c49c278c801fd8beb5fb2039a3c209a1214a9cc00fb6896735fa4d020bc2279afca1577f35fb0a96a315631d46656d2055d3 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\sw.pak
| MD5 | 70510abd3079bf26caf327989e810216 |
| SHA1 | ea640cb8b3c63d71d9b3a0d377fef5540b04fe81 |
| SHA256 | a11017a3e0e7f48338d4515ec9e79c1764387232a0d9a05fecc4b594bff40091 |
| SHA512 | ecbc97397557e27e66536a97ddf78a744c104b258d40d6f31972e6e5c6615699dd24eb02144ae0d3d53764da0f83a06f561ba95bbf08da4bf4a548b0e7f8c052 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\sv.pak
| MD5 | 773fc8c89b093c40191fc233730188c1 |
| SHA1 | 28001794144bdb76f62044d57e2d52c8ae1635c6 |
| SHA256 | 6aab29795a36a0234c6d447fb1fdd9011da505c348b934346a27b6a2ddb92ff3 |
| SHA512 | f9bfd3e72955104b922c34352ec16d56939eea634b9abd549d4a3342dd72f8768c85bff59814e419aee6469f6521f4f71fcfe9b8a81c1824187ba818f6d6caac |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\sr.pak
| MD5 | f4041623ce5e06d2dea58d532edb120a |
| SHA1 | 2d7ee3ef60b39e3508427c7bc12e046d7bf5e928 |
| SHA256 | f2f80d7325d259811afea1e7648c42d3ef3eebfeddaec27ee2817f4e68ab541b |
| SHA512 | 18691f4cee3eeaa2305d1c978d803fdf757d9c4e87e88e36d7b1fff482cfddd820568b39a1108065f61dd2cf10d7219c27813aad4d64e71695ab91084ec3c694 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\sk.pak
| MD5 | befec33f564454253ad90d6cc06ecf62 |
| SHA1 | 1fa0e082c89f9aa397551421a35b7dfc941f5250 |
| SHA256 | 9db30eeac7f1814158283affa0af6451c6f7966896cd6d6df8eab14a37e58c9f |
| SHA512 | a581faf67311eb8d81b481d1e3348f579745331f87523650a4fc35ddbe6d5033e726feab0ca3911ef76a21aceabc3e2122d16333d1b7840a933b5231a9e2d157 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ru.pak
| MD5 | fd441a4b72397f5d76915ebcdef45aa1 |
| SHA1 | 94a0ab5704e7303c6ef1c2ee5be0b6f4a52d146e |
| SHA256 | df41fb92e4d682d47b5adf942600b4f23c1aa5274b31b844cd4c4b6f0ec86a86 |
| SHA512 | 5fab517ec0141bb67b4b5ac868100b770fc0b7773b94f977af9205294da9305a2079327a4ece1ff1d9a3b3c805c8d8676c2b0505bf190d1c57c4ed0c14a1cfdb |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\pt-PT.pak
| MD5 | e9f8bc9fd1e845551fe3bb63c9149726 |
| SHA1 | 0bfbe46e8ffd62493c019e890a30ebc666838796 |
| SHA256 | 50cadb4da4e61fc335d145374511c34e5a0e40f9c26363614cd907cc7942a777 |
| SHA512 | 1d3761caadc3ac750c0a89c64db472bcb0764fc1c4b1108a9443fa71633ec7fdd945120a6f05e76221d9c58103cc9865b4857877d57d60b623f92a0235ed15fb |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\pt-BR.pak
| MD5 | 3b70cbf1aa47436b78a5e8c7672ce775 |
| SHA1 | ff9f2820e5782f9eae0ea1d5ede61665fa62cc06 |
| SHA256 | 8b4a8a3b8741610c279283a6cb843cb274223f720edac1c73296340b02569fbe |
| SHA512 | 41e3b3264d8034edf9ee1ab696ca4612ee6ef4e8537b4598805362c4a250f81274425cfa2c9c62330fed73a683e6d3b2ff537b51d869d7da19c4422728da7c0a |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\pl.pak
| MD5 | 41fd7c76e30b333027e86e20a65283a8 |
| SHA1 | 81afebdfd62255d0b0ca508141dcd7b67982f4c1 |
| SHA256 | 5de95dc2236f896e66debfe2cc7553a5bfeaa7ffea2820fe1f2f67368af84f7e |
| SHA512 | c59132dc329ee72fa8e9e9c653da597b5fa40a6eb0a7988cf62b1bdaa646a9f09f504219bfbc5af394a12c9ab6050a39740460a3e5c3ed0946b556c33f608219 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\nb.pak
| MD5 | e5546ac3407546d6b786e24c7bc21ab1 |
| SHA1 | 7a9e44a525ae005d0b41020c403c4e1e49d237b7 |
| SHA256 | 751521cbf27777bc99f2039b987686f921cb27e02c959f6cbeb976799e45066e |
| SHA512 | becf51540db5a0893e6f44d588be98142bab5c2a0f37c0212348e3cf39da52def2fd104c039229b52767a9345890f5768ed897b4bde5c6feccd75036d8b4f363 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ro.pak
| MD5 | 4d1ed9e347de9351454d11132c06e916 |
| SHA1 | e3734d17a579ac423ec5fdc5829a211c7b76e049 |
| SHA256 | 57dc80c76c535c645893c9d3b4d0c4779aaa877445383abec79e32cf02c41276 |
| SHA512 | bd3d0841678879a24eb6f2f15c27bcb64a5d7ad171debbb51e7601a3898b830b1985b365363a01d22967969d4d4ddf89a130a5a33ff6a94cef6410b0e89f1849 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ms.pak
| MD5 | 0bb952597b170dd4dd76e9d9d546ac3d |
| SHA1 | 101aafdf6a4ac0cdba7bd88538e7ac395e715e3e |
| SHA256 | f6721ce0d4d601ffeff011d652a9bf2518386cd8c1d2317763e37512451534ff |
| SHA512 | 46c9b63273d6ea30ee63ff230d6b5600018ae54032e04a6707f5873ebd383d0d59645f8d0b44b8ce9a4d40d5acd3453b618b9c4fd3c1b958adb5aefba3465464 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\mr.pak
| MD5 | fd3452d812a6129b8b6db620423adca0 |
| SHA1 | 9bfe47a0e9f1843c90875f28d8873d592098024c |
| SHA256 | c9704a3e528092ef676be4a653cb14b906e7c32424d59c8e4f22981014bd9111 |
| SHA512 | 7ec30343e985f7bdc6a64fc13d50bfe58ae098b03e18afeaeb4c89073059698cdf40477f2323a52c5e8f07f37b28608c54734501d14ad6ae0c9a0f2f4ab0e689 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ml.pak
| MD5 | 21aee42070f9eace2a8e14759526f05f |
| SHA1 | fedd83251a3fdb1846bf0e7e49a3a78cd77fae02 |
| SHA256 | 393d2dcd5c7c33945626fcf10ea4457649fa7b4c100c039898385133c26395cc |
| SHA512 | 60cc85a5a638d370710680bd39a6946d04660a0856bde49190fbc0002acf91617cfc3f3087a37cf592c047550ed2c5b73c2a769fbdffcacf4ad3ffa129c929e3 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\lv.pak
| MD5 | 7313fab584b7561b1fa63de07b972118 |
| SHA1 | 3a44d445f57a78867d37638a80ab39add3fcaa4a |
| SHA256 | 7b92238240c31c197029d41fdffc244f68caeb8002854f65ee3125bd95643598 |
| SHA512 | 05b067847a63c0419298616278678ade6a4fec4008323121ace5a09e22f6dae409494474f5a88adc703833691a7d4810546d012d4311e176fe58812f166b8ae3 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\lt.pak
| MD5 | 02e9c88d9d5e58d135c9a92effcce38d |
| SHA1 | 92421a5fac68d506fa904075ea7cf39a3da8efc3 |
| SHA256 | 38ad40532287da53fcdb6076b9cdb841bbb4f30162681707295bcab448149e65 |
| SHA512 | f0897d62e81eb6e2c56cf1a5b5ad5124521c345f70cab841071c7b70b16130984700d694a32dfa010460244d8b520ba1b217ffd76f75c074b5b3a9ccda26b02b |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ko.pak
| MD5 | f21c6033fa73bc7d3358c2467c9048d2 |
| SHA1 | 939f209f00e6664294872e0dc3b33a9015a2f1fb |
| SHA256 | d19cfa8ae07f23b81c0d40d7e751628844fc1aafb83d4bb4dcbe71caecf6ea2e |
| SHA512 | a4a4909ca56d3d924639cf1adab6d9ee512132c99c8e3dd37f2b949a1c816ab29ce81c01c658022e680344516201fdb0440abb97e577e6946e2731411674566d |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\ja.pak
| MD5 | e720738027460b044429705f7ea1d25c |
| SHA1 | 851b59efad4ae074849fe41f40a56c5534caaf72 |
| SHA256 | c78fde77efbca1b3cc0cd12bda718d1a113bf6b6f3ed558b5c9a452dc974edfa |
| SHA512 | 08b0fd0ceff7ddfed26985bf84b54d75cead1f6fd4d5971da9e40996af6dc5fe9455c402f62e758020a6ccdb1ee0213cc2a5ddfa28a2bfb1e8064c6a4401c3a2 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\id.pak
| MD5 | b5e4e0092bd1063e8bd68d0b539ab005 |
| SHA1 | 5e3d12a6fb497687df81ed64de17b0502ea84f2a |
| SHA256 | 8d7ef1377d39fb6045c9d4b1bb064c329bd789ee33b6de530c187f1e713dd7f0 |
| SHA512 | 52b535a143bc13a03804cfda2d3f2f81f036b8d24897d1ef4a657ed290ba14e43d7cfe92c868cdef6b093b09b90119f7e50e8496eaf347c8e4fdfc13c5e306a2 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\hu.pak
| MD5 | ae13d7ddfeb82df9950c71a4ea0bd10f |
| SHA1 | 7b55315628060668f444b110031b1fc4715bda11 |
| SHA256 | 17758e2bc746f6d770fca8969ed0aa2d00658d68792d2e8bae94d7b58665d83f |
| SHA512 | f94247fecc4fda5bdbe9732f151cdffed337eee01f59aaab6e6452c570a549dfb87c0528484c1879a04af134ac883a21043c582d0a642e185e4e64e3aff830be |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\hr.pak
| MD5 | feea1754a955eb61cd41763be4e5ae2e |
| SHA1 | bb6252fec9ada8bf9ed7b81f59843d5abfcac80d |
| SHA256 | 787680ecb5d5ece246894481834b30145919c22b04d2dcad2f6ea2b2254abafb |
| SHA512 | 3d24c9ccb83f6ecf976df5cf00fdb0b46d53f09c1cb08ab68bb8d9944452785f40a761a152605708d7672f7dcb24e0b7cad1cfc14b267bf5fc1393cfd05ae4d0 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\he.pak
| MD5 | 6010987755f300c7984dd3f72f518ab2 |
| SHA1 | eb85f0849a86aa5fb585efaa070d2d7300b197a3 |
| SHA256 | 1c84a575e28e9a72335ed13409d6861995bd9859fd57a4d9509fe912db4a56a9 |
| SHA512 | 4b77f74d986c16524a3a6c7f60cdbe53ac5be59418737835a7fa186e4b6ee853cce8317cce352fe4064c75a7d27bf1303d76eabc53993ff1e4b7758a8ccc6228 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\gu.pak
| MD5 | 57cf11b4352e59f11b20b7ab754af031 |
| SHA1 | ca1716d419f175a2dd548929fd551dcbd1ef4bd7 |
| SHA256 | 55588f211c26e1deb47b04d39728ec051b99334c55d30252b94df57d0fba2f52 |
| SHA512 | c74360769323b3267aa218e994f49c7e135d4f320365a349a5362c1755c4b660050a070bec6c5446d4620be97a341270b6c01289db20ddf5199ece23117110a4 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\fr.pak
| MD5 | e609419893f1d885a2f17f94805a441c |
| SHA1 | 31083ac114fa4077a7da7c796ab3744873fb893f |
| SHA256 | 8d71c36d04f2d6062458aa2614f7ce223b2ee9b4665556803f764f384b191091 |
| SHA512 | 77f965f436a009a5aacebed3cc15adde5a1054e1c699b8a50b947a7e78a97cf43317d50b0ab7a42532c77d320b7393007e47199f31c58f7acb6f462f98fdd4c4 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\fil.pak
| MD5 | 693abd21a6855aeaa31f6c738c6b6fc9 |
| SHA1 | bb1fa375a9f0c682d9913b1c1610535eb2b4028d |
| SHA256 | f0bb231c710c025ad4643e2128867de6e111da867384082e7dc2d0769976b6ce |
| SHA512 | 03c68c45e3144a73251d950a8c7695e5b9c2c66711134016543ac07ee6eded723324d5312fad4624d35d0bfe9861ca4b7440d2445e6d3d6cff4a1a3cd5263c98 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\fi.pak
| MD5 | 4f323a2eb73ccd029e742cee4dfa9769 |
| SHA1 | b860372d21cc55eb7ddbbf9f5bac61fed39426de |
| SHA256 | e1888472c8e1330e70e514d0a1936749a7e5d39f67e7edc818661c2cbf3e301a |
| SHA512 | d07d0f74736cd32d73b3a33867e65a25b727b5c30cb743162908e23d958fb3ae97285f600a9ef8196e61be9d450da5903d1e468fceb3b05ced93aa600387fddb |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\locales\fa.pak
| MD5 | e3f56d4b0fa2878ed6847631d3b05dea |
| SHA1 | 627f48d5423afcb3cade0789f058d60867419041 |
| SHA256 | 2ee67a38cce9ffae1a639be17c0ef7ed7c763d9c15c9621f300bf634e1f25a64 |
| SHA512 | e29c28717f31dc57c2294857680a439acec25478913ea425b0c7b6e50f3343b21fb7983c15352f9e3c001ffa0c8e500d92a1924acde32a4b5bf3f5b6c60c4142 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\resources\app.asar
| MD5 | 45521cfdc0f0979a1fde10a1bf163b64 |
| SHA1 | 4f736d4fc78020a8a8df6fba1de46c95ea0c50be |
| SHA256 | b2c42f78307d22cede05b010e4cffaaa70e9ee469c8279a3399a6f497d8cde24 |
| SHA512 | d8fe5278fadd3610cd379c352c2dfd6f16f01f3e3512c364dbebc8c9fddbc933203a5e424df65f6678243f8796bc0c5b509f1c648a11989c740a5dfbb52baf31 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest
| MD5 | 8951565428aa6644f1505edb592ab38f |
| SHA1 | 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2 |
| SHA256 | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| SHA512 | 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js
| MD5 | d226502c9bf2ae0a7f029bd7930be88e |
| SHA1 | 6be773fb30c7693b338f7c911b253e4f430c2f9b |
| SHA256 | 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f |
| SHA512 | 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat
| MD5 | da0f40d84d72ae3e9324ad9a040a2e58 |
| SHA1 | 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f |
| SHA256 | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| SHA512 | 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\swiftshader\libEGL.dll
| MD5 | be1b6fe26a1b5a3e1302c26ce5ce53f3 |
| SHA1 | c3cac08e89c4cc91eae1cc87e33a1dea723f1d78 |
| SHA256 | 162abe61314e720384d8cdd43190a89df8a96de52f3ede7b6c58998f615d8546 |
| SHA512 | 07dca111391dfb6b7e90d4be02071bc625128eeca0b9d9a3cebdc7916baec9f95cbbf906f2533befd6b62b9bbc69488ffa720f8d40c9710dd3b7d540d9dcaa55 |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\7z-out\swiftshader\libGLESv2.dll
| MD5 | 1e401ccda5b723ab8a595a54f7d2531c |
| SHA1 | 127716680dd16f776b19c2306d716935e54c5100 |
| SHA256 | c167a458174e2a280c39d7af31bd109e8e2921032a687097b584653adc33ab21 |
| SHA512 | 1f2f35021f338aa7c5a0ae83c196217fbca6b1d017ac1bb4f1eebb93bd6e18c5d74c1a14bd4899d7a91d054b0139b2c4fc3271c35148ad1d8b71139aff0132fc |
C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\9d8ed008-b136-49d4-87c8-549f4bd8cb1a.tmp.node
| MD5 | e4c111d47eb54b62dab8cb12540b9e39 |
| SHA1 | 09be3e7d9eec1853dc628c8c3b90e7b670921029 |
| SHA256 | a05338fe1e0eb08230717ad2f3587a5c1cb4bd10a673c40a3059f70ae0e7e6b1 |
| SHA512 | f9ec1e62c08425382b48320d2fb1a7fa412dea84825cc49b0297d5c6cfdcb80f32c54de28ac59e7a4c7557ae9900a8d3860fc7d23e486bcc28e603787d9f0f79 |
C:\Users\Admin\AppData\Local\Temp\893c32cb-eabc-474f-9186-b5c36d3832c6.tmp.node
| MD5 | f1e751eb4dbfa4a1b5f4903315fc535a |
| SHA1 | 85e1166819678f839954c473d7eb363a99e24a96 |
| SHA256 | b8c24de2fa870ceb677f30da0eabdf20745d0a9ebed98f49c52d881383c75096 |
| SHA512 | 2349745a84bc2b2f9c2b96999d48e37242a6c3627d7898cd9a36e682e36ec12553713db7167b3a9cd20ec308ce11d84f09f06beb3e971823d8b4a959f457b182 |
memory/1880-573-0x00007FFEB8CA0000-0x00007FFEB8CA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\06a32546-a4c1-4fc6-9686-c47de35a89e9.tmp.node
| MD5 | d4e6004197508892d18fc47645b25f62 |
| SHA1 | 1afceda2531e593c00de7ab994f928a150de5b4d |
| SHA256 | dc29d32decbd161ea4ff1e645d3fdf7a1ce3db0ee25e5485bc19fc775922b71c |
| SHA512 | 0be017eaba3764eb9f38e78248528a9e025958e713a8eb4a8f9b03d087267e107ceef8525a4ecfcbb684b077145fb0161e5dbe05f9fd95f8f94a140fe3ceb8a4 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt
| MD5 | dec2be4f1ec3592cea668aa279e7cc9b |
| SHA1 | 327cf8ab0c895e10674e00ea7f437784bb11d718 |
| SHA256 | 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc |
| SHA512 | 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66 |
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
| MD5 | 37d2f2d28823a046818c6365e87f2236 |
| SHA1 | 1cb3d040c9449603c6062f3b017dd4ce5dcefbbe |
| SHA256 | 65330275c6c5d47cf8d013d394dd094831c57197b75fa1022f93693e736d607f |
| SHA512 | 2abd97b380eb6d66b0bfed7a675d8f65c2852bc3ddd974810e1e2c6e6c0ba1ffde7f99c639d5406deed2d2cfa5869f032d6cdaa131d2c5c12d9e0d28b5d8d8fa |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt
| MD5 | 810ae82f863a5ffae14d3b3944252a4e |
| SHA1 | 5393e27113753191436b14f0cafa8acabcfe6b2a |
| SHA256 | 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c |
| SHA512 | 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112 |
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCBE6E06D24DC04A32B333EDCC76AB387A.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
C:\Users\Admin\AppData\Local\Temp\RES5318.tmp
| MD5 | 173b4f517f383b741b3d72f646c3b5b2 |
| SHA1 | 5c61431cd941e78db08635d3119dcc2cc2bb5990 |
| SHA256 | b3081ccc0361b8c8a8fdf3ba0114e94f623a4f734f72f81b8d9340ef00b98863 |
| SHA512 | a278160e691054190775c2c9eaf3c1b8eead7c7672d95e5b04403f1c3741c76407e73afdf876e61b5872acc3514fccb64b91be9f93f8da17b6adbc64e4258a34 |
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
| MD5 | 4bd61b57cf6ddb819718ee3b61cbd91a |
| SHA1 | ea709142dcf9df5a3768d0bed5708ded55c61fbf |
| SHA256 | 25ca7fc5d7c19d481492f9c82ac0d784de94a1197cda1996a11ce4b1e90d40e2 |
| SHA512 | 9c033b8b06ec4a6b36eee3932627c6643980c3b0ecf051c52ef8a02ae6821c5e92574fd47b8ae340cb8159cdf95090ecab749dbb054a01a0f9d4f6698a32ac51 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
| MD5 | 08fea28227eb775855471cc304ae2195 |
| SHA1 | 0ce0829c8ce2ef04c76f6e16ea147f85c43fea9e |
| SHA256 | 1950f4d059a8fef675e3c5c99d284eab8e8b5f2427e19b3441aa9ce6ef621154 |
| SHA512 | 437b716a1fa367013b3b9c53a80b1282913cdcb9160be5caa013b35b77df1f38f4d2bf75547ceb96be579708387a6f28bcfde00fcdd3da29ce08a0b48a33549e |
memory/4864-756-0x0000000000F00000-0x0000000000F0A000-memory.dmp
memory/4864-769-0x00007FFE98DB0000-0x00007FFE99871000-memory.dmp
memory/5404-773-0x00007FFE98DB0000-0x00007FFE99871000-memory.dmp
memory/5148-774-0x00007FFE98DB0000-0x00007FFE99871000-memory.dmp
memory/5224-785-0x00007FFE98DB0000-0x00007FFE99871000-memory.dmp
memory/6176-792-0x00007FFE98DB0000-0x00007FFE99871000-memory.dmp
memory/6176-812-0x00007FFE98DB0000-0x00007FFE99871000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240319-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 224
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240221-en
Max time kernel
118s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 224
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20231129-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 1884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2316 wrote to memory of 1884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2316 wrote to memory of 1884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2316 -s 88
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win7-20240221-en
Max time kernel
118s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240215-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240221-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2212 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2212 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2212 -s 80
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3872 wrote to memory of 816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3872 wrote to memory of 816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3872 wrote to memory of 816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
174s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4936 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
158s
Max time network
193s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win7-20240221-en
Max time kernel
118s
Max time network
136s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\RESOUR~1\APPASA~1.UNP\NODE_M~1\SCREEN~1\lib\win32\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAE2.tmp" "c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC50E51E417ABF451394F6FA2317107D48.TMP"
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe
Network
Files
\??\c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC50E51E417ABF451394F6FA2317107D48.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
C:\Users\Admin\AppData\Local\Temp\RESFAE2.tmp
| MD5 | 388dc33175daa4812603514e2a88ae6e |
| SHA1 | dcdf8720696f5105d9b86c8e5a81ba78f2f68194 |
| SHA256 | 823fa03cf5a6b30e4b569407f36cdd25d8bed42995fb6e8c03d42c27517a9fb5 |
| SHA512 | f2ed1af8c510f35caf9ac2c5f739560b792530921bfc150c179d9878805f68efaecf7d69a444c1776a1268c70bffa3df5c4a4098c93500e3fc04624d87e9f112 |
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
| MD5 | 7adf78f671ec5ed337bd34ecdd3de5ce |
| SHA1 | 6e76a5e983972d60070a27bc42f21a85b3536ca2 |
| SHA256 | 312396d658be11e6c36198e549ac046b9c044730f86fd3cfe26609bafcbac2b0 |
| SHA512 | 5f1740e40ae067e94fde6225066e2347ffebda6937231b1f543bed77882801368420c7522ea253f71e54d6e69a4581fdb355c8f7faa18bedee10d15453206e76 |
memory/2556-8-0x0000000000CD0000-0x0000000000CDA000-memory.dmp
memory/2556-9-0x000007FEF5940000-0x000007FEF632C000-memory.dmp
memory/2556-10-0x000007FEF5940000-0x000007FEF632C000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240221-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240319-en
Max time kernel
138s
Max time network
182s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| IE | 94.245.104.56:443 | tcp | |
| GB | 172.166.92.12:443 | tcp | |
| GB | 51.140.242.104:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| GB | 13.105.221.16:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
174s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240220-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2904 wrote to memory of 1668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2904 wrote to memory of 1668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2904 wrote to memory of 1668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2904 -s 88
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
134s
Max time network
193s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\RESOUR~1\APPASA~1.UNP\NODE_M~1\SCREEN~1\lib\win32\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AC9.tmp" "c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC7811090D8E0042F887343A4ECC70DE13.TMP"
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
\??\c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC7811090D8E0042F887343A4ECC70DE13.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
C:\Users\Admin\AppData\Local\Temp\RES7AC9.tmp
| MD5 | 4f6175a1db8a1dee1b0e581e52917edf |
| SHA1 | 18b535c9de03c717a6d2c0beabbf494b46625d8f |
| SHA256 | eaa3412cb473f7a135bbdbdc1af5cd5b227be8897cb736f1dd0ca8384d609ef4 |
| SHA512 | 956d3407d83940ebf7302a9193328d7ffeee2f7f93ff15ba5d310677d5ed9acdac521b1c0b25bdfe5647568145f61174767e376548fb2d8cfc1f5af13a512097 |
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
| MD5 | 917c81129c7ed93f69d13c98ee10c704 |
| SHA1 | 38670f80cbc4689685c105cac0d61c102f47e5ba |
| SHA256 | 8fae7f80273d6122319ad8832a17dd7803137d7c669c8dbb9ad69145820102c6 |
| SHA512 | 3929f0c570d7999e3362b6520f12c87c835cd98e411f90979e9f0bb5f62745b12b8e95c0f6c0dcb5c271a6df5450e9803420ad081e5204d805d0a1c4ac7e4548 |
memory/608-9-0x0000000000100000-0x000000000010A000-memory.dmp
memory/608-10-0x00007FFCA9580000-0x00007FFCAA041000-memory.dmp
memory/608-12-0x00007FFCA9580000-0x00007FFCAA041000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240221-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 224
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win10v2004-20231215-en
Max time kernel
135s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win7-20240215-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:30
Platform
win10v2004-20240226-en
Max time kernel
89s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win7-20240221-en
Max time kernel
156s
Max time network
173s
Command Line
Signatures
Detects executables containing possible sandbox analysis VM usernames
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing combination of virtualization drivers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c1a052b4f6fbbe3c6437b3af2a3f93f2218b3c175073e7daeb6361f999a94c5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c1a052b4f6fbbe3c6437b3af2a3f93f2218b3c175073e7daeb6361f999a94c5.exe
"C:\Users\Admin\AppData\Local\Temp\9c1a052b4f6fbbe3c6437b3af2a3f93f2218b3c175073e7daeb6361f999a94c5.exe"
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=gpu-process --field-trial-handle=1000,9861199552755883329,3394318409916178525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 /prefetch:2
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1000,9861199552755883329,3394318409916178525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --mojo-platform-channel-handle=1288 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --app-path="C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1000,9861199552755883329,3394318409916178525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1444 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=gpu-process --field-trial-handle=1000,9861199552755883329,3394318409916178525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
C:\Windows\system32\cmd.exe
cmd /c chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=gpu-process --field-trial-handle=1000,9861199552755883329,3394318409916178525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-3phj9p.tve2c.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-x14udi.svzfd.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1wdgpp5.hb1r.jpg" "
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe" --type=gpu-process --field-trial-handle=1000,9861199552755883329,3394318409916178525,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2344 /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-wp8pgq.gsyh.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-8sue61.4gc8s.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-mqg0vs.3m6mb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-33z2x7.rohb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1ui81gr.u7oni.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-d0hn6d.rkna6.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-s6wci2.lrxsb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1uc7dqh.u7qe.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-yrxsz4.oth3.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-8c87bt.ldzsq.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-nwf23v.y0p3s.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-icun11.1n55n.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-deaiix.j3eb7.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-14lofy9.f1e9.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-qb3z7e.ljbsj.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1vkae7z.1d7c.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-159pe2c.um0o.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1hgumvk.3y0x.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-pam4v3.adpua.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-iifo37.9fsf.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-7kr5s6.q0dr5.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1x90q4h.rw1cf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-15bx6nh.d52d.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ECF.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC20693622FEB48D484694DC12EAA5214.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D29.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC31692DA2AD5A4CBB8438FC74E28025D5.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-ozpf8v.wbbi.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1nv4htf.avjn.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-v8dvqz.izhua.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-52sj1n.87ent.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-col037.s4c3.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-yhxya1.zm67.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1cgu41r.ly2z.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-8kub2x.4p73c.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-n2cibr.smfpf.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-10vbixf.bw2ej.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F99.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCC474C2AD9A2745C68CA13BD944436F47.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1nz36e8.ssj1.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA238.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6D0B57092342474D935E097789C90D8.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FF7.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCE7B9E4F054FD42A98EAD97D1C354BFF.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1npjx20.wpjc.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA17D.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCA261FC8A438421581A7EDC64DDDDF17.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-8zqkpr.z26hs.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1t4rha4.strk.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-vs3jw1.q7di.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-gbe3pi.ydpbl.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-fjcjk0.fwt4i.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-1o90lux.5ufh.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3AD.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9C34961167DC4ABDAEEB888D0886BFB.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-bblbpp.5t7c7.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-gv3x5n.cgsj8.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC581.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC123D68C979044538A68AA4CA9B282FF0.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-12fmr4g.gagz.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-uvl2ll.fc71k.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-6bfxev.2km7e.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-1224-snrltq.juxqn.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2---sn-aigzrnse.gvt1.com | udp |
| GB | 74.125.168.199:443 | r2---sn-aigzrnse.gvt1.com | udp |
| GB | 74.125.168.199:443 | r2---sn-aigzrnse.gvt1.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 104.21.40.54:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | whoevenareyou.equi-hosting.fr | udp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsy8805.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nsy8805.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\chrome_100_percent.pak
| MD5 | 4f7cf265db503b21845d2df4dc903022 |
| SHA1 | 970b35882db6670c81bd745bdeed11f011c609da |
| SHA256 | c48e6d360aee16159d4be43f9144f77d3275a87b3f77eae548e357601c55fc16 |
| SHA512 | 5645d2c226697c7ac69ce73e9124630696516fc18286a5579823588f93a936da71084a3850f1f9a7b34c624f4c502957107f5957ffba5e6c1e4da6d8da7d3348 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\chrome_200_percent.pak
| MD5 | 6a7a9dee6b4d47317b4478dba3b2076c |
| SHA1 | e9167673a3d25ad37e2d83e04af92bfda48f0c86 |
| SHA256 | b820d19a7a8ce9d12a26837f967f983e45b07550b49e7b9a25e57b417c5f6fd9 |
| SHA512 | 67466e21a13ca449b014b511fb49bfc51df841eb5776f93b4bda2e0023da96d368ac5c65de051ed9de1899275b9f33839af2c387be903688cdb48bf08993791e |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 7641e39b7da4077084d2afe7c31032e0 |
| SHA1 | 2256644f69435ff2fee76deb04d918083960d1eb |
| SHA256 | 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47 |
| SHA512 | 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\ffmpeg.dll
| MD5 | 7977f3720aa86e0ec2ad2de44ad42004 |
| SHA1 | 04a4ef5ccd72aa5d050cc606a7597a3b388c6400 |
| SHA256 | 61c6bd5fee2c150265241a15379c4053b174b1cd7687749629afcdbd1264a02e |
| SHA512 | 8ef3b8f506b5ad7241b96d381a501033266358fb3756a457c46ed499547db1232012f849838e65f916129fab1a0d74711e9851b8e0669831acbbf4c3494e492d |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\Ghostbane.exe
| MD5 | 21dcf914458e92f92928d52bd89470bf |
| SHA1 | cfe743e325859af219cc91b3e375b9afed58a6a9 |
| SHA256 | c68227296b243230fa9cb2fc7a1d3eed54de34db04bf0a8fb6b7c04c77bf44c5 |
| SHA512 | c8ccfd2cbc84b227c89e95988c51ddec76d99dd7cb06460c01c999bbe65018cd51422d9a03efa327d7e31723e0745658e47da54950959ef4e4d8d8cc9e22272c |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\libEGL.dll
| MD5 | 7b77074945dfe5cf0b1c5a3748058d57 |
| SHA1 | fdea507ac2be491b8ad24ddc1030ea9980c94c0d |
| SHA256 | 994972c1bc515c199552d50e97ad217ae15a3eed16db06181c7df50e743e8a56 |
| SHA512 | d637b2c7d75723601af099317a39820d3edbd3cea1e1cb20b702deb6ca7fdb0b67e1351cc8fee1c7badff957fffb848a8dce18bb25bfd60c81a588da4f68c1fd |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\LICENSES.chromium.html
| MD5 | 4247afa6679602da138e41886bcf27da |
| SHA1 | 3bb8c83dc9d5592119675e67595b294211ddbf6e |
| SHA256 | bf59a74b4404aa0c893ca8bbe636498629b6a3acdff4acb84de692462fd626e4 |
| SHA512 | ad3103f7fd32f0ec652bc7fcb8c303796367292a366037acad8e1312775cdd92c2f36ed8c34a809251ad044508e1e7579b79847de61025baf8bda5ad578a0330 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\snapshot_blob.bin
| MD5 | c497639990ef3d4435fd721e8e855c9a |
| SHA1 | 85e7df364daab70730c756b8e24e81965d5a2255 |
| SHA256 | 5e15a82831965e521bee172e6878806bba51d410d1fdf1b4eb01385d1954502b |
| SHA512 | 63f2514d585dd7d3b988f0aaeed8106a06b67629eb54f2152e8b4a24276d9f56fc4650c8770d0ab44b4c57ca458856a0cce5f26f6226a56a807b38ce5615ead3 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\v8_context_snapshot.bin
| MD5 | a718c9b6e5e6563e23e450a0d01b932a |
| SHA1 | 95ccb1228f024f037259e759dbac464f3c27b8cf |
| SHA256 | 315f5ed966a1f3a89c94d1b78b9bf70e59a2869601cf6551b2c1fd3e3b008447 |
| SHA512 | b04512e95ab3997bc7d5c65e2f526e124bf1895b139eb2b6c6c7b4a4aa381cd408eb2bba01f44b09b1936d24752baae288f24a32ed84687d3e7e0681b5387d01 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\resources.pak
| MD5 | 99c5bf0dcd43f961aa3e177f7dc42d42 |
| SHA1 | 5618abd2e7b45c50400bb4aa0c455bb0b28bc472 |
| SHA256 | 75ff04d991c2a203105525a1ccb200a461717ce7b86ada4be092fe903d95cdc8 |
| SHA512 | 2e508c46eb266301f42ee6a7d63494f3856b422df61d0b605096bf4fc4943239d3fba15161adf8cb1cdcfd3bea8608102a0abce636999cc2a9e01bda51cc77ae |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\libGLESv2.dll
| MD5 | 8c93e19281992a00993fc0f09e272917 |
| SHA1 | 3a2d12bc85f829775ec8c5c1f8e35a783d37b7a7 |
| SHA256 | 1ebc1da8d7e463a5d3dc127a632989ef35cfbd94cb18bf1f8ee790f172d43703 |
| SHA512 | c4ec65378d83e6645c9128825853de2d3e82c0f430cd28fdc761eaf2d011267c3794b7c1dcef017750323873d7fe976656eebf9ed7c03582741d43738f3e0c7c |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\icudtl.dat
| MD5 | 2e7d2f6c3eed51f5eca878a466a1ab4e |
| SHA1 | 759bd98d218d7e392819107fab2a8fd1cfc63ddf |
| SHA256 | b62b7240837172959299dc3be44fffa83dc374353154eca1612e1bde330aa8fa |
| SHA512 | 0f1465e8efe32b0eaba628a30bbb21254a05d80f4407a1434120a55fb928cf575b3879e1b7cf754cd19b23c262ae715fa84a8049073563cb38f1855be7db1124 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\vk_swiftshader.dll
| MD5 | 77f7b4f46cb3e06b53729fd1e562dfef |
| SHA1 | 223c09805220ff2b5c1dcbdd5c0396231ea34f11 |
| SHA256 | a648cd4671b12b469c4d2de20c2ba2429c9388c0f9d4b3d9d2244853d0e5acb5 |
| SHA512 | 6be9afda9320074c5842419cf8493d715ca65a3362d368d3a35e35a47d36f8197b0f19877485b41a06e21148613a77bb6275b0586c4a38da8a25efe6b5a6b571 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\vulkan-1.dll
| MD5 | 25afbdf6701013c57b19b92225920915 |
| SHA1 | 009300dd4ab3b81794388ce7d126ae90ff97535f |
| SHA256 | 22bb65dd206ce7ee10c05557933a04a04144e1a8228d2a9d1e9d704b0b1b2f7c |
| SHA512 | 575e38b60948cb704c355ba9cf3457f2693c30f95e85f10f795e759652bf4317e18ba480bee8aafcea9108415e8e58f674b22c7513a9fabee765142486919a0e |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\bg.pak
| MD5 | 5ed6adc6158f554e71bdac7dc9731b16 |
| SHA1 | 394c8396c566d2b92cef881c332624be812115fa |
| SHA256 | 0a3e79a6d270d212037ccb5a8730b7abfc45c6e9175dd7e17d997daed0985726 |
| SHA512 | 796f107698e82dfad9ec8d2ac1fc3f79b1f3a339a06eccd783dcd262ddb7399f8e3c093799f16640cf7a4488f1d2eb04ba6b7cb14ac9e9fcf87488cb8305b35d |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\da.pak
| MD5 | 22134b12d90fdc00f23a1e0a6fb04eec |
| SHA1 | 17c9fc2cacb6e5ccc393d1af9bdf3e8e63ecdaaa |
| SHA256 | 62020dd01b47b696e2e11d7f5598628c07782a96ea6bc013dc2ffe8c820b7c94 |
| SHA512 | 9cce6ffb2d84cedcc5ccf200080d6a2cab691468c042e8e48a5fdd809b5c0d067c322326e49d18f66da8e0b1d28adeda4cd03e12d7aa11350b72776737aa3427 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\cs.pak
| MD5 | f125738776a9fb8dbf25311fa3dadbcf |
| SHA1 | 3448b58d4810e69f5c1eca4e1484308c3ceff502 |
| SHA256 | 5d5089718677f9a4e677dec72058c376a5829921cd523ecb919d0da7766d3cd4 |
| SHA512 | ca5300e5fb73ed4ee8c108e875c66ce7f105693f3ba78cb00f33218febfdb3ea27fe26f118dff3fb2e4af66f722f8348760cb576aba48887be25fdfae4991776 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ca.pak
| MD5 | 53e3fb38f84f60b98d23b337e4f03f92 |
| SHA1 | 42e435837dd36872d2a413518a299cd293ff8536 |
| SHA256 | b00bd41c1222b3ea078df5b92cec1946e41430be241d0d57dc9baa4c70c91f3a |
| SHA512 | 98d0328e7370b1fec9e15ad0cff9e1353686fc581e3df9a8896e3c2e62ced044c4c51ea63f35ec8b7eb3e7df5c83ef5157468979b7f20e85480597042c1ac192 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\bn.pak
| MD5 | ee25e9cf28fdd35846d8a9b3c4220eed |
| SHA1 | 702342cc207ced1bb585195abcf263cbc4ea0069 |
| SHA256 | 9994b9832bce803bee8c48a8176653099df7768074e3c54d09a18593376466b9 |
| SHA512 | 2b703cd07bacc9f70e36844f148c980cb112a806b4ca11f692b9bbe6995fd5636eb9bdc84c5cfaf79790dbbb1ecf7cf2b61a7d6ff89311eb4907c586e20b7dbd |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ar.pak
| MD5 | 3a8a7a08fedb148ebee6d3300356e37a |
| SHA1 | 2e9ac1ea8b6396b909f823486538d5640ddcaa1a |
| SHA256 | 43636fc76a2da6ab562c4c3bcc1a5d548a169dc0e884484fb7e4341814c44c78 |
| SHA512 | 7951829cc7aa385bb5f8078a7af7d4f0b49fa8c05eecb2808eac3fb0e8700c63f92db888ad64f526d992a14d54948a6807bf06f9fb688aecea40311eaacea181 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\am.pak
| MD5 | ebe0e7e0c78fac281a3f0196da22cee9 |
| SHA1 | 689864d898905d43b8a70bdf37c5b339daaf48eb |
| SHA256 | 08d86a45ff0a4b21e74b06509c376ab0f907cae72a3e0cbf5c17fc275d10ac5d |
| SHA512 | 89b6603e5db8ad53ee5623c2c0f7e81194278dbdf5ed49c7480049006b20744fd4642743c2b4a264cafa87e7f787d6d6cbf26f12ff2b851333b3ba7541ebd933 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\en-GB.pak
| MD5 | 074d3dd44706502de7c33e791794b23a |
| SHA1 | 564a73ffad9232052c692eb94f560d6b17227c47 |
| SHA256 | 9c3954a5ca2cf126370a1152e9281f41a7ca97c69293f556a2c79ea6729324ae |
| SHA512 | 6e1296d04b16534274fa438643ecee6e37d17ed935623f73d5a8f3510a194e0efda9ca60fac8d51d25763c4818050e23c306f9ee18284b8600610d14f7768d98 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\fa.pak
| MD5 | e3f56d4b0fa2878ed6847631d3b05dea |
| SHA1 | 627f48d5423afcb3cade0789f058d60867419041 |
| SHA256 | 2ee67a38cce9ffae1a639be17c0ef7ed7c763d9c15c9621f300bf634e1f25a64 |
| SHA512 | e29c28717f31dc57c2294857680a439acec25478913ea425b0c7b6e50f3343b21fb7983c15352f9e3c001ffa0c8e500d92a1924acde32a4b5bf3f5b6c60c4142 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\gu.pak
| MD5 | 57cf11b4352e59f11b20b7ab754af031 |
| SHA1 | ca1716d419f175a2dd548929fd551dcbd1ef4bd7 |
| SHA256 | 55588f211c26e1deb47b04d39728ec051b99334c55d30252b94df57d0fba2f52 |
| SHA512 | c74360769323b3267aa218e994f49c7e135d4f320365a349a5362c1755c4b660050a070bec6c5446d4620be97a341270b6c01289db20ddf5199ece23117110a4 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\id.pak
| MD5 | b5e4e0092bd1063e8bd68d0b539ab005 |
| SHA1 | 5e3d12a6fb497687df81ed64de17b0502ea84f2a |
| SHA256 | 8d7ef1377d39fb6045c9d4b1bb064c329bd789ee33b6de530c187f1e713dd7f0 |
| SHA512 | 52b535a143bc13a03804cfda2d3f2f81f036b8d24897d1ef4a657ed290ba14e43d7cfe92c868cdef6b093b09b90119f7e50e8496eaf347c8e4fdfc13c5e306a2 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\lt.pak
| MD5 | 02e9c88d9d5e58d135c9a92effcce38d |
| SHA1 | 92421a5fac68d506fa904075ea7cf39a3da8efc3 |
| SHA256 | 38ad40532287da53fcdb6076b9cdb841bbb4f30162681707295bcab448149e65 |
| SHA512 | f0897d62e81eb6e2c56cf1a5b5ad5124521c345f70cab841071c7b70b16130984700d694a32dfa010460244d8b520ba1b217ffd76f75c074b5b3a9ccda26b02b |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\pt-PT.pak
| MD5 | e9f8bc9fd1e845551fe3bb63c9149726 |
| SHA1 | 0bfbe46e8ffd62493c019e890a30ebc666838796 |
| SHA256 | 50cadb4da4e61fc335d145374511c34e5a0e40f9c26363614cd907cc7942a777 |
| SHA512 | 1d3761caadc3ac750c0a89c64db472bcb0764fc1c4b1108a9443fa71633ec7fdd945120a6f05e76221d9c58103cc9865b4857877d57d60b623f92a0235ed15fb |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\th.pak
| MD5 | 96212a5191b7062d1620388acf1d09cd |
| SHA1 | d3616b6c4649dcfa347df0473e64219ccd63e63a |
| SHA256 | fa5f97bf433df481a6257fa39ef8dcc7961c5d5a83008b02c9773836d7bfc96c |
| SHA512 | 5192c36317c3a50696796c7286f77b1a02b7a0f83abb16ff7d47ec94281b85ee2fb29b9ddff7c4ad8b28a2a757772bd2bc726b10c19658ab672966679d391508 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\zh-TW.pak
| MD5 | 03ade5ba27cd3ae9bab6ab3a5cb721c2 |
| SHA1 | a747311a5f6c2e0e535efd52bc96f3c4d12d5c3f |
| SHA256 | 0c4abf7a66026068cd4f458d504cb04f3e04cf9fae45419ddc2d592f24899a2a |
| SHA512 | 33e122328773039595248a85dc0940841a1e273957ec9a4e175871b3ada48008b608ca6569b495275abb8e2a8844ee0c4d90b48af915a3f5a6aa44f3c37e51f3 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat
| MD5 | da0f40d84d72ae3e9324ad9a040a2e58 |
| SHA1 | 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f |
| SHA256 | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| SHA512 | 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\swiftshader\libGLESv2.dll
| MD5 | 1e401ccda5b723ab8a595a54f7d2531c |
| SHA1 | 127716680dd16f776b19c2306d716935e54c5100 |
| SHA256 | c167a458174e2a280c39d7af31bd109e8e2921032a687097b584653adc33ab21 |
| SHA512 | 1f2f35021f338aa7c5a0ae83c196217fbca6b1d017ac1bb4f1eebb93bd6e18c5d74c1a14bd4899d7a91d054b0139b2c4fc3271c35148ad1d8b71139aff0132fc |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\swiftshader\libEGL.dll
| MD5 | be1b6fe26a1b5a3e1302c26ce5ce53f3 |
| SHA1 | c3cac08e89c4cc91eae1cc87e33a1dea723f1d78 |
| SHA256 | 162abe61314e720384d8cdd43190a89df8a96de52f3ede7b6c58998f615d8546 |
| SHA512 | 07dca111391dfb6b7e90d4be02071bc625128eeca0b9d9a3cebdc7916baec9f95cbbf906f2533befd6b62b9bbc69488ffa720f8d40c9710dd3b7d540d9dcaa55 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js
| MD5 | d226502c9bf2ae0a7f029bd7930be88e |
| SHA1 | 6be773fb30c7693b338f7c911b253e4f430c2f9b |
| SHA256 | 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f |
| SHA512 | 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest
| MD5 | 8951565428aa6644f1505edb592ab38f |
| SHA1 | 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2 |
| SHA256 | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| SHA512 | 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\resources\app.asar
| MD5 | 45521cfdc0f0979a1fde10a1bf163b64 |
| SHA1 | 4f736d4fc78020a8a8df6fba1de46c95ea0c50be |
| SHA256 | b2c42f78307d22cede05b010e4cffaaa70e9ee469c8279a3399a6f497d8cde24 |
| SHA512 | d8fe5278fadd3610cd379c352c2dfd6f16f01f3e3512c364dbebc8c9fddbc933203a5e424df65f6678243f8796bc0c5b509f1c648a11989c740a5dfbb52baf31 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\zh-CN.pak
| MD5 | 20b6d54de42cf9c56f0a85fdc27d82e8 |
| SHA1 | cecb82b4afe8544876f443fcf578453358ab59a8 |
| SHA256 | 4140caf95939f116993ecd8bc5f7681991f96735d2397c9c7b4c66e3013eed24 |
| SHA512 | 646af407dfb85863f4555961f37f706c18b5c1e68b3111eda9f9b531ba2bb60cf67211ad634037b872156f0ddd04d50d68c49173a27a78ce59f75cbc2bb6c3bf |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\vi.pak
| MD5 | 98cb45f0555aee1985710196db17d72e |
| SHA1 | 1362238c253bc2a0e50c8dde6c95deb027fd6348 |
| SHA256 | 39a130557fea33a9c899f347fa3ed455e58bd51acc0b3b4586f76694b0f34646 |
| SHA512 | 93125310ade0c7029f0406aab291c35d2b7d1941f85bfd3d6071f85ff347c46e793a5ef164c08ebfcba252269a4aa84bf7a3b8779a36ee2f3da303411becc27d |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\uk.pak
| MD5 | 33f02db055c3f91148feee375acabfb7 |
| SHA1 | ca1dc284f41bc55cf35f94a4039008df9970d411 |
| SHA256 | 1968e9ed7722089330e7a8ae2c08f241aa106ed2be8948461439e6a92c330688 |
| SHA512 | ad16973e4103ced979276c6de175eb600241491ec9c441168e6375f68f8867d3f0eba422dd0ef6404208564015119f1e5e2500d5cf4ff2d8da45d713ed8c251d |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\tr.pak
| MD5 | 4e7c047364c7c4809242741b98b28092 |
| SHA1 | 4ff1b303476cb75d8190568c346e8cc2e452da14 |
| SHA256 | 6a25be43b786ab853f8081c53012be623543830cce5ccd246ec040d98f22b852 |
| SHA512 | 4624cec04114c15a72a804fa4966fe61303effe97039337273ed0dc99e8a6a685ca5cf5fa901a84c8b219d443f1a89e6e7cbe09eb21e7ecff662301067a6cefb |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\te.pak
| MD5 | 93edec428bdaa1f84f5c9478f440997a |
| SHA1 | e03f6bd50b0e0d888f9dfbdc87c98ff567e6a91a |
| SHA256 | a499f50e452ca02ea476fab8954e7ff58d2ee0c6263b8a4657b6ebddeecd2520 |
| SHA512 | ae34e29f1e8d23dacca66036e355b12ebb1117ec6e5e99413c792a0dc8b772eb63578b2406730b014fb4ffe32b05dfd9fab8adcf38ab3f5b9bfd0cf054ed09f7 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ta.pak
| MD5 | 8a1a245b43af1f174f262d8f53014d59 |
| SHA1 | 655045f5c71aa2589851a66d5387d4125bbce1ec |
| SHA256 | 85d8ef6fb5fdbd1d689aa6cdbbb768376b08b03ff39f7528a3804a3b4bd82af1 |
| SHA512 | d71b73fd2b5658acf5825f142130c49c278c801fd8beb5fb2039a3c209a1214a9cc00fb6896735fa4d020bc2279afca1577f35fb0a96a315631d46656d2055d3 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\sw.pak
| MD5 | 70510abd3079bf26caf327989e810216 |
| SHA1 | ea640cb8b3c63d71d9b3a0d377fef5540b04fe81 |
| SHA256 | a11017a3e0e7f48338d4515ec9e79c1764387232a0d9a05fecc4b594bff40091 |
| SHA512 | ecbc97397557e27e66536a97ddf78a744c104b258d40d6f31972e6e5c6615699dd24eb02144ae0d3d53764da0f83a06f561ba95bbf08da4bf4a548b0e7f8c052 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\sv.pak
| MD5 | 773fc8c89b093c40191fc233730188c1 |
| SHA1 | 28001794144bdb76f62044d57e2d52c8ae1635c6 |
| SHA256 | 6aab29795a36a0234c6d447fb1fdd9011da505c348b934346a27b6a2ddb92ff3 |
| SHA512 | f9bfd3e72955104b922c34352ec16d56939eea634b9abd549d4a3342dd72f8768c85bff59814e419aee6469f6521f4f71fcfe9b8a81c1824187ba818f6d6caac |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\sr.pak
| MD5 | f4041623ce5e06d2dea58d532edb120a |
| SHA1 | 2d7ee3ef60b39e3508427c7bc12e046d7bf5e928 |
| SHA256 | f2f80d7325d259811afea1e7648c42d3ef3eebfeddaec27ee2817f4e68ab541b |
| SHA512 | 18691f4cee3eeaa2305d1c978d803fdf757d9c4e87e88e36d7b1fff482cfddd820568b39a1108065f61dd2cf10d7219c27813aad4d64e71695ab91084ec3c694 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\sl.pak
| MD5 | cfb094955a5a8f655ce8a598d5a89706 |
| SHA1 | 181ace68b0c3be132ab73302ba7f7c8750f9adae |
| SHA256 | 15489195e92cf11354a9a02895aad2ba8f17aecb676dd77942054a4f3f0fd623 |
| SHA512 | a31e131663072c1192a4146321db5f0f457d27e14afc8ae40a92a4f255df4cd5302774534fed5247e145c73739a709dd5852af35750f35ecbab0fd4c1a612e2f |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\sk.pak
| MD5 | befec33f564454253ad90d6cc06ecf62 |
| SHA1 | 1fa0e082c89f9aa397551421a35b7dfc941f5250 |
| SHA256 | 9db30eeac7f1814158283affa0af6451c6f7966896cd6d6df8eab14a37e58c9f |
| SHA512 | a581faf67311eb8d81b481d1e3348f579745331f87523650a4fc35ddbe6d5033e726feab0ca3911ef76a21aceabc3e2122d16333d1b7840a933b5231a9e2d157 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ru.pak
| MD5 | fd441a4b72397f5d76915ebcdef45aa1 |
| SHA1 | 94a0ab5704e7303c6ef1c2ee5be0b6f4a52d146e |
| SHA256 | df41fb92e4d682d47b5adf942600b4f23c1aa5274b31b844cd4c4b6f0ec86a86 |
| SHA512 | 5fab517ec0141bb67b4b5ac868100b770fc0b7773b94f977af9205294da9305a2079327a4ece1ff1d9a3b3c805c8d8676c2b0505bf190d1c57c4ed0c14a1cfdb |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ro.pak
| MD5 | 4d1ed9e347de9351454d11132c06e916 |
| SHA1 | e3734d17a579ac423ec5fdc5829a211c7b76e049 |
| SHA256 | 57dc80c76c535c645893c9d3b4d0c4779aaa877445383abec79e32cf02c41276 |
| SHA512 | bd3d0841678879a24eb6f2f15c27bcb64a5d7ad171debbb51e7601a3898b830b1985b365363a01d22967969d4d4ddf89a130a5a33ff6a94cef6410b0e89f1849 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\pt-BR.pak
| MD5 | 3b70cbf1aa47436b78a5e8c7672ce775 |
| SHA1 | ff9f2820e5782f9eae0ea1d5ede61665fa62cc06 |
| SHA256 | 8b4a8a3b8741610c279283a6cb843cb274223f720edac1c73296340b02569fbe |
| SHA512 | 41e3b3264d8034edf9ee1ab696ca4612ee6ef4e8537b4598805362c4a250f81274425cfa2c9c62330fed73a683e6d3b2ff537b51d869d7da19c4422728da7c0a |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\pl.pak
| MD5 | 41fd7c76e30b333027e86e20a65283a8 |
| SHA1 | 81afebdfd62255d0b0ca508141dcd7b67982f4c1 |
| SHA256 | 5de95dc2236f896e66debfe2cc7553a5bfeaa7ffea2820fe1f2f67368af84f7e |
| SHA512 | c59132dc329ee72fa8e9e9c653da597b5fa40a6eb0a7988cf62b1bdaa646a9f09f504219bfbc5af394a12c9ab6050a39740460a3e5c3ed0946b556c33f608219 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\nl.pak
| MD5 | a17bff141aec095625d0420c7a609b08 |
| SHA1 | edf3746b20ff9e3bdbf09b195e7781da1f799a91 |
| SHA256 | 7482c28c2a42a94615118b6b8cc7d002415923ca104ef86a95a4ad05c8db36b9 |
| SHA512 | 903c50c39160e40920bdcce0dc337e83b03bba00481f82ebc8ac1cf6927ebfaa75b1f9791038a71632c5e79bf7331bbf7468cc626e303929801c08f54d092c8b |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\nb.pak
| MD5 | e5546ac3407546d6b786e24c7bc21ab1 |
| SHA1 | 7a9e44a525ae005d0b41020c403c4e1e49d237b7 |
| SHA256 | 751521cbf27777bc99f2039b987686f921cb27e02c959f6cbeb976799e45066e |
| SHA512 | becf51540db5a0893e6f44d588be98142bab5c2a0f37c0212348e3cf39da52def2fd104c039229b52767a9345890f5768ed897b4bde5c6feccd75036d8b4f363 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ms.pak
| MD5 | 0bb952597b170dd4dd76e9d9d546ac3d |
| SHA1 | 101aafdf6a4ac0cdba7bd88538e7ac395e715e3e |
| SHA256 | f6721ce0d4d601ffeff011d652a9bf2518386cd8c1d2317763e37512451534ff |
| SHA512 | 46c9b63273d6ea30ee63ff230d6b5600018ae54032e04a6707f5873ebd383d0d59645f8d0b44b8ce9a4d40d5acd3453b618b9c4fd3c1b958adb5aefba3465464 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\mr.pak
| MD5 | fd3452d812a6129b8b6db620423adca0 |
| SHA1 | 9bfe47a0e9f1843c90875f28d8873d592098024c |
| SHA256 | c9704a3e528092ef676be4a653cb14b906e7c32424d59c8e4f22981014bd9111 |
| SHA512 | 7ec30343e985f7bdc6a64fc13d50bfe58ae098b03e18afeaeb4c89073059698cdf40477f2323a52c5e8f07f37b28608c54734501d14ad6ae0c9a0f2f4ab0e689 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ml.pak
| MD5 | 21aee42070f9eace2a8e14759526f05f |
| SHA1 | fedd83251a3fdb1846bf0e7e49a3a78cd77fae02 |
| SHA256 | 393d2dcd5c7c33945626fcf10ea4457649fa7b4c100c039898385133c26395cc |
| SHA512 | 60cc85a5a638d370710680bd39a6946d04660a0856bde49190fbc0002acf91617cfc3f3087a37cf592c047550ed2c5b73c2a769fbdffcacf4ad3ffa129c929e3 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\lv.pak
| MD5 | 7313fab584b7561b1fa63de07b972118 |
| SHA1 | 3a44d445f57a78867d37638a80ab39add3fcaa4a |
| SHA256 | 7b92238240c31c197029d41fdffc244f68caeb8002854f65ee3125bd95643598 |
| SHA512 | 05b067847a63c0419298616278678ade6a4fec4008323121ace5a09e22f6dae409494474f5a88adc703833691a7d4810546d012d4311e176fe58812f166b8ae3 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ko.pak
| MD5 | f21c6033fa73bc7d3358c2467c9048d2 |
| SHA1 | 939f209f00e6664294872e0dc3b33a9015a2f1fb |
| SHA256 | d19cfa8ae07f23b81c0d40d7e751628844fc1aafb83d4bb4dcbe71caecf6ea2e |
| SHA512 | a4a4909ca56d3d924639cf1adab6d9ee512132c99c8e3dd37f2b949a1c816ab29ce81c01c658022e680344516201fdb0440abb97e577e6946e2731411674566d |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\kn.pak
| MD5 | 90107e2353e707a6d071c9aabb5adefa |
| SHA1 | e4dfe445ca7830b3a56af38af1d73e3cb94abc73 |
| SHA256 | 9155b06ccaefbea6461f5c51e25ce25d85ca7bd557e76dae00a4d6a09a4bc424 |
| SHA512 | dead3b94638afbf4ef27e1cb5283ad2d0af73ab8996e7d2e8202ad174796121799992f577c974fc0ec53fe2b8f6fb4d37c3bef70b72c29b5b721377a0cf3b093 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\ja.pak
| MD5 | e720738027460b044429705f7ea1d25c |
| SHA1 | 851b59efad4ae074849fe41f40a56c5534caaf72 |
| SHA256 | c78fde77efbca1b3cc0cd12bda718d1a113bf6b6f3ed558b5c9a452dc974edfa |
| SHA512 | 08b0fd0ceff7ddfed26985bf84b54d75cead1f6fd4d5971da9e40996af6dc5fe9455c402f62e758020a6ccdb1ee0213cc2a5ddfa28a2bfb1e8064c6a4401c3a2 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\it.pak
| MD5 | a2b9cce245e754258ea187ceb3aa2670 |
| SHA1 | 50f84fbcabea10385714a3c3a2483247ac040c02 |
| SHA256 | b72f89e5d2cacbd2db7ce28ceae35faab8c4199ec993fea64e8c78df882032d0 |
| SHA512 | 5e9cca2605d4a86d4f2b39845c8396c37f88b6f1d08c8f0e2b6f0896d60754331a588d0c0fc59e9ad8fccf0d50100a2307fff2d9df784f91537b1d9e108727ad |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\hu.pak
| MD5 | ae13d7ddfeb82df9950c71a4ea0bd10f |
| SHA1 | 7b55315628060668f444b110031b1fc4715bda11 |
| SHA256 | 17758e2bc746f6d770fca8969ed0aa2d00658d68792d2e8bae94d7b58665d83f |
| SHA512 | f94247fecc4fda5bdbe9732f151cdffed337eee01f59aaab6e6452c570a549dfb87c0528484c1879a04af134ac883a21043c582d0a642e185e4e64e3aff830be |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\hr.pak
| MD5 | feea1754a955eb61cd41763be4e5ae2e |
| SHA1 | bb6252fec9ada8bf9ed7b81f59843d5abfcac80d |
| SHA256 | 787680ecb5d5ece246894481834b30145919c22b04d2dcad2f6ea2b2254abafb |
| SHA512 | 3d24c9ccb83f6ecf976df5cf00fdb0b46d53f09c1cb08ab68bb8d9944452785f40a761a152605708d7672f7dcb24e0b7cad1cfc14b267bf5fc1393cfd05ae4d0 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\hi.pak
| MD5 | 34bcb12c154075510d9d3066ad4a8d1f |
| SHA1 | 6a3c062221db4f391f8505892f584647b05a410a |
| SHA256 | 83c6c411d75ec5c5de6984b21fdecb07c9b926c66b67c5c99380605f6fdd8928 |
| SHA512 | aba38e4a8039bbdc46b510a8370c82d3b199b4a02da7751c162c941e6d893a9cdfc0ce92db4144ecc2b2644d58b0bc6cc7cceb0533c62c131cc55be0258c3a7f |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\he.pak
| MD5 | 6010987755f300c7984dd3f72f518ab2 |
| SHA1 | eb85f0849a86aa5fb585efaa070d2d7300b197a3 |
| SHA256 | 1c84a575e28e9a72335ed13409d6861995bd9859fd57a4d9509fe912db4a56a9 |
| SHA512 | 4b77f74d986c16524a3a6c7f60cdbe53ac5be59418737835a7fa186e4b6ee853cce8317cce352fe4064c75a7d27bf1303d76eabc53993ff1e4b7758a8ccc6228 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\fr.pak
| MD5 | e609419893f1d885a2f17f94805a441c |
| SHA1 | 31083ac114fa4077a7da7c796ab3744873fb893f |
| SHA256 | 8d71c36d04f2d6062458aa2614f7ce223b2ee9b4665556803f764f384b191091 |
| SHA512 | 77f965f436a009a5aacebed3cc15adde5a1054e1c699b8a50b947a7e78a97cf43317d50b0ab7a42532c77d320b7393007e47199f31c58f7acb6f462f98fdd4c4 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\fil.pak
| MD5 | 693abd21a6855aeaa31f6c738c6b6fc9 |
| SHA1 | bb1fa375a9f0c682d9913b1c1610535eb2b4028d |
| SHA256 | f0bb231c710c025ad4643e2128867de6e111da867384082e7dc2d0769976b6ce |
| SHA512 | 03c68c45e3144a73251d950a8c7695e5b9c2c66711134016543ac07ee6eded723324d5312fad4624d35d0bfe9861ca4b7440d2445e6d3d6cff4a1a3cd5263c98 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\fi.pak
| MD5 | 4f323a2eb73ccd029e742cee4dfa9769 |
| SHA1 | b860372d21cc55eb7ddbbf9f5bac61fed39426de |
| SHA256 | e1888472c8e1330e70e514d0a1936749a7e5d39f67e7edc818661c2cbf3e301a |
| SHA512 | d07d0f74736cd32d73b3a33867e65a25b727b5c30cb743162908e23d958fb3ae97285f600a9ef8196e61be9d450da5903d1e468fceb3b05ced93aa600387fddb |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\et.pak
| MD5 | fcdea2954549e5d8f1e7a5de36ae4f74 |
| SHA1 | 41dcdcefbbab3e0e908d98ec9b6bac7eacecbb99 |
| SHA256 | d875bca2e8800657306727902f4f5fceec7415ea530bfa780ece0f016f792569 |
| SHA512 | 37ea008078083a36b07b1f5d0ca6e16f62b06a19266d8042efc796bf33c53200f37d3a37f5b48d024dbfab9e6689ec9c3f22d6e37e3898fa7deb61ace1fb2df3 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\es.pak
| MD5 | 39288ea031009bb9db582cbd93c7d534 |
| SHA1 | 467f76d33e39526a4d8cb6068eaf8e2791b3a9ee |
| SHA256 | 6cd39669df96b4b5b9047f7689338d3beb9ad7f8be2fddc595ef1ecbc47481c2 |
| SHA512 | 4a635e969cf2b09aab5f8723a3380c5e226bf0546019506d18de65c1e4a599d268b9ee2e03a65b245075f899a09697b7b535f1055c19344a411100c8f29d93b2 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\es-419.pak
| MD5 | cadd9ec43e823609c4bbdc418da6009a |
| SHA1 | 91bdd44d5972a4763227ee7c127fe122aefe195f |
| SHA256 | 6c8d074047d57a79cf5cadf9caa6e9a64bce0895743a3dd89ed1350cc91c1e4c |
| SHA512 | 2b9eae4072e46024e33f000b1df1a64246f70498a557f4a03234d3dd47aadb04883b98ebf48eec21f0d6ca4c8a62065f675fdb352be680a56644ea3ae1db93a5 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\en-US.pak
| MD5 | 0dcd84e9e50a3e0819d5875ea889ced4 |
| SHA1 | 7c47f6e4e0cafec3a13c07d689d1dd6ff6516b1e |
| SHA256 | 699b6d7f05a484e76d3e1197a656247863e570f03cc02634c9dc42078a5c5007 |
| SHA512 | 153fc15f676d78d5d0f3a6862fc7eaa60c2a659c25ce87485f0253c321d9407a9b799b959104c27a8e7b5487f0de926ae8f375e2c3d313329112e48f2d001a17 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\el.pak
| MD5 | db449f218a705453eb10b5f418e28d7b |
| SHA1 | 7bc8fcc59c532bb086a7f081cd8d275a89dac835 |
| SHA256 | 73da35d01b91707846775bea7dc0331fc1caebd5c63d101aa8bb8bb58ca7f193 |
| SHA512 | 7dce45bc723d62498b335be0ab72dfc91c44c01f96f25c2314e9245a0eab28a92dcaa730b11f108b604545592445ed1612721416f60ae3bf55b1bd438bd04f78 |
C:\Users\Admin\AppData\Local\Temp\nsy8805.tmp\7z-out\locales\de.pak
| MD5 | fceb00caf7e76e688007665feae99e83 |
| SHA1 | 06fece84cf7028b3871f144258b8d084faf8745b |
| SHA256 | 80e63ef1950b8438813271365a7b6a3f3aba0bacc179f5675654249f31c06a3c |
| SHA512 | 08c14eb299a035949e6b64a069cadee66c420b7d66bb00d65d6a1a08fbee08a57ab08f8e77c44387f0fe02b47aeb0bf2709a1979025613cb51af4ab82fc3b6d5 |
\Users\Admin\AppData\Local\Temp\5fe33dde-7052-4552-a6fe-aae826de86e9.tmp.node
| MD5 | e4c111d47eb54b62dab8cb12540b9e39 |
| SHA1 | 09be3e7d9eec1853dc628c8c3b90e7b670921029 |
| SHA256 | a05338fe1e0eb08230717ad2f3587a5c1cb4bd10a673c40a3059f70ae0e7e6b1 |
| SHA512 | f9ec1e62c08425382b48320d2fb1a7fa412dea84825cc49b0297d5c6cfdcb80f32c54de28ac59e7a4c7557ae9900a8d3860fc7d23e486bcc28e603787d9f0f79 |
\Users\Admin\AppData\Local\Temp\ea0706df-81af-4dca-9d43-b1af6ad3590b.tmp.node
| MD5 | f1e751eb4dbfa4a1b5f4903315fc535a |
| SHA1 | 85e1166819678f839954c473d7eb363a99e24a96 |
| SHA256 | b8c24de2fa870ceb677f30da0eabdf20745d0a9ebed98f49c52d881383c75096 |
| SHA512 | 2349745a84bc2b2f9c2b96999d48e37242a6c3627d7898cd9a36e682e36ec12553713db7167b3a9cd20ec308ce11d84f09f06beb3e971823d8b4a959f457b182 |
memory/2032-574-0x0000000000060000-0x0000000000061000-memory.dmp
memory/1224-583-0x00000000024A0000-0x00000000024A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
| MD5 | 3fc964bb39d16ff85190cbcfe680c43a |
| SHA1 | 30b497b30adeea4b24a183a1885e74345adbc38c |
| SHA256 | cffdb15111bc599efb9cd8f3f63603778d85f1055c138b2d7934c68d83bd55e8 |
| SHA512 | fda150f2076be1fd4f8f2a252c2c74e4f8001cdcb5add15e68cc3d265c95c7e0f92da84f47020bd095008ae520450b8846282d1c67033fe5322b3c4ce2e7759a |
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
| MD5 | 836ff19766302a040fff84b8ca20b27a |
| SHA1 | acce2c93b734af8136ce1923c482430030ea9cdd |
| SHA256 | 511fe68740ac554d1b8dc0e9bd5e8c3aa982bce27d8b92a8413cb5b24b7a8cfd |
| SHA512 | 25ff98ae7534afa0096028b1cc12ab30f41eab5564d8c89b4fa2db06164099ac3ed92176c200e957fbd7088d7ce623c46a8338a41ad495f4c96edd6caa03a61f |
memory/2032-630-0x0000000077A80000-0x0000000077A81000-memory.dmp
\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
| MD5 | 25d66a047b22eeceff8ce4c5ec50be17 |
| SHA1 | fb287cb259ebe1c725b8f426170f2aaed7f39412 |
| SHA256 | 4bdfff5b5639fec8193e70e76aedb69741dd3919aed31ff1ac5502550871a823 |
| SHA512 | 37254aa22ef73f008be4adc37f8a027d2aef3b07ad687a6934c0985327b9b4a0774fece55181ff4973e3246f44f4bdd305e3b7f4ef856ac9301f489a2eea67d8 |
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
| MD5 | 2eccffe696b8ef04a51a441bada5ef70 |
| SHA1 | 25599f964a82be72bf99927d6599e5e81d9a7361 |
| SHA256 | f8a80f65f75089d61e0b95428c122897746f8dd13c06aaf05add6628d72a97dc |
| SHA512 | 16629297afca7d34c26898b03f734c24015e2560f2b583164adbbf4b5981928037b9b7ac93bfed8d071b389a1a2f181c4d7bbe5aae7b53692e8ec3a53ca72c4c |
\Users\Admin\AppData\Local\Temp\d6a806bf-0e60-41d8-8479-3b89059ebc7a.tmp.node
| MD5 | d4e6004197508892d18fc47645b25f62 |
| SHA1 | 1afceda2531e593c00de7ab994f928a150de5b4d |
| SHA256 | dc29d32decbd161ea4ff1e645d3fdf7a1ce3db0ee25e5485bc19fc775922b71c |
| SHA512 | 0be017eaba3764eb9f38e78248528a9e025958e713a8eb4a8f9b03d087267e107ceef8525a4ecfcbb684b077145fb0161e5dbe05f9fd95f8f94a140fe3ceb8a4 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt
| MD5 | dec2be4f1ec3592cea668aa279e7cc9b |
| SHA1 | 327cf8ab0c895e10674e00ea7f437784bb11d718 |
| SHA256 | 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc |
| SHA512 | 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66 |
\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
| MD5 | fa55effd648e985b30c3ff87d9bd086a |
| SHA1 | 32bd6e1ef3cb4173845c15792975a4c672a74437 |
| SHA256 | 99dff1002104eda741cfd8d73dcdc4b97820c742f5194d78c6bb67577bd03083 |
| SHA512 | 0739c6a6a408aeb5f04ac9230592e5f544f432c79ca5025062a0e1cd40c1f085995b73ee39f61408917651bf8e93320d64bf5a1806cec127e5a3e3e125cd5f98 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt
| MD5 | 810ae82f863a5ffae14d3b3944252a4e |
| SHA1 | 5393e27113753191436b14f0cafa8acabcfe6b2a |
| SHA256 | 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c |
| SHA512 | 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112 |
C:\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
| MD5 | db8964e0085d8cb55c76c2c44aee95bf |
| SHA1 | 81a2f571bb9fc6be49e15ca5d5b93533d20cdd4b |
| SHA256 | 42e3d0e3f69acef5ec4f007653b81d6202fd785b3a0dd297e871ec594f8022ce |
| SHA512 | a11263bf2a3bb17fd81b50d469c8d1f284088b357bf422b5f5bbea11057bdf07275ead8df907ff0c96bdaced42c6e8a3ee477123c2c9dd2e01034ed9d4e322dc |
\Users\Admin\AppData\Local\Temp\2etPjvlaTb83Ft04XhkAGWkFvCm\Ghostbane.exe
| MD5 | ba6cbc53ae600046ad0d969962639bd1 |
| SHA1 | dceb6b1de28e98b8c7a11ce65f7051ab47801aa6 |
| SHA256 | c5fdbd525b79377f9fc391ec2be96b47ae7e217220a6d5de185a5ce823cf9dd8 |
| SHA512 | dcdf90c4f2294bc9b280154aa5bc64919baf3942d86c11f6fc644092e5f156d6907e69b5eac356a1f2e8331e5c6245c346856f874f21122871f1bf6829a04d5e |
C:\Users\Admin\AppData\Local\Temp\screenCapture\CSC31692DA2AD5A4CBB8438FC74E28025D5.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-12 01:26
Reported
2024-04-12 01:31
Platform
win7-20240221-en
Max time kernel
139s
Max time network
165s
Command Line
Signatures
Epsilon Stealer
Detects executables referencing combination of virtualization drivers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\SOFTWARE\Wine | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=gpu-process --field-trial-handle=996,18223505519922659402,161612540894844819,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1036 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=996,18223505519922659402,161612540894844819,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --mojo-platform-channel-handle=1288 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=996,18223505519922659402,161612540894844819,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1572 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
C:\Windows\system32\cmd.exe
cmd /c chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=gpu-process --field-trial-handle=996,18223505519922659402,161612540894844819,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1n0gd4e.aeudj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-rsy1pl.22ojk.jpg" "
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=gpu-process --field-trial-handle=996,18223505519922659402,161612540894844819,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2408 /prefetch:2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1aj8lkf.ciroi.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-rcxxs3.6z7o.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe
"C:\Users\Admin\AppData\Local\Temp\Ghostbane.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=996,18223505519922659402,161612540894844819,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Ghostbane" --mojo-platform-channel-handle=1700 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-d19vbs.ohle9.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ds5kan.350bl.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1gr84zs.efspe.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-pjleoz.p9evq.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1h9drcs.k17y.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-vb2qsn.dy3bj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-130p6rs.0dv5.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1b60a0c.35plf.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1oj11q7.xz4c.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1rf8vn3.loblf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-njqp5h.utgc.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-tqry5z.y2na.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-5q1lcn.lllnu.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1dsb4ii.z2rjf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-gxt1rq.iqv1o.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1dan43k.kaca.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA1B.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC24D5593AAC79419B96AF27D183D0F028.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1y5pof5.zbb9j.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC774.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC59DFE27AB1704E24A55C2756F512C2A3.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-3hsadg.stu3g.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1d9x30k.ppft.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1uje1ly.mabtl.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-fybxlb.b8ivb.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ksdpv9.7por.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1v5u2a8.pdpi.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ejsgly.nwzo5.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC775.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6C984D123C634A0E8C9E1264E93EB86A.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC776.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC5D6F7217FD204877865DA758E4B1085.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1qrts1.fgl1l.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-qe3u1n.awr2.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-jdyc9u.f2es.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-156v1nm.kbiq.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1mvjq4s.7dd5.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC777.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCDB4AEAB85A39417F9856A0DEC46B1E3A.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1dedsyt.mezk.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC778.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC526CEC1745AE4811854ADA77AAD04D.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC779.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC69E4253FABE48DCA9D9C311EDD49B16.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1orqe7v.hmrx.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1r8rfh2.rjl4.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-10dnlh4.xesh.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1glw2ij.ton4h.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF19F.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC42ED0218B3148EBAF15CC67B1BAAACF.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3B2.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC7440698BDAED4151B2559583AFE63F.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF788.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCBF8F1A46FC5E488791D81FB8C1DBEF8.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF789.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCBB227794F6AD44819F18719EF3F979C1.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3A2.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC959BD40BB764DA7B3A9113584DAFDB4.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-8ze3i6.t2tb.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF45D.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6CD4A23C615E41AA86E13F793B0CBE.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1behqi7.cumng.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1aecnks.44j5.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1dfuirk.id19.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-7rg6ji.v9wyl.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-pq66ej.v6v0j.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1cvnw8f.u72v.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-29z0sq.aqh5q.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-d19vbs.ohle9.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-3c910p.6ifdv.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1rvcczp.3jt2.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ybci04.5teoi.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-4sgfmi.qmoe5.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1mclab6.ab5ij.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-759k8m.kjjbe.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-r43y39.e5ci.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-qh279r.4jiv.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-r3ike7.xriac.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1agenn8.crlx.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-b1w6gz.4w75k.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FEF.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC638607BCE9704B018D67E4277F32BBCB.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21F2.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCAADD3AD76B8E45E088ED5CDDEF185E3.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22EC.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCE2A9E164B7B84E7EB75C18B1227DE257.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1hzkqkl.c9e3l.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-12exom7.f1kj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1kclv60.x9eg.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-10dnlh4.xesh.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1orqe7v.hmrx.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-29lwur.m2hjq.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1glw2ij.ton4h.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1r8rfh2.rjl4.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1aecnks.44j5.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1cvnw8f.u72v.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-29z0sq.aqh5q.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-pq66ej.v6v0j.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-7rg6ji.v9wyl.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1dfuirk.id19.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-3hsadg.stu3g.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1d9x30k.ppft.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1uje1ly.mabtl.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1qrts1.fgl1l.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ksdpv9.7por.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-fybxlb.b8ivb.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1v5u2a8.pdpi.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-156v1nm.kbiq.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-jdyc9u.f2es.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1mvjq4s.7dd5.jpg"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C1F.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCC30787F04164CCB9D611AC55A59320.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B54.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC23C0CFF4B2D745DA8FEB45CE2FB9B0.TMP"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ybci04.5teoi.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1rvcczp.3jt2.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-4sgfmi.qmoe5.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-3c910p.6ifdv.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1behqi7.cumng.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-8ze3i6.t2tb.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-qe3u1n.awr2.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1mclab6.ab5ij.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ejsgly.nwzo5.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-759k8m.kjjbe.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1kclv60.x9eg.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-29lwur.m2hjq.jpg"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D86.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC1E03C699AFB147608C7AFF505862DF55.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-e33gmc.y3yvr.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-wyupi1.hkins.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-r3ike7.xriac.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1agenn8.crlx.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-b1w6gz.4w75k.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-12exom7.f1kj.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-gq6p69.q1c5c.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-r43y39.e5ci.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1hzkqkl.c9e3l.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-e33gmc.y3yvr.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-wyupi1.hkins.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-qh279r.4jiv.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1htkj6f.raj2.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3266.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC85E797E48F774E368D18D43219F811F1.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-15ecm36.1dif.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-a5ub4x.uvl8.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1i4l4o6.038u.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-9t6etm.vgwo.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-81nzei.diti.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-2i429a.9bjg2.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-16m3di1.vd18.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1uele68.j76n.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-gq6p69.q1c5c.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-sybdby.6sfz.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1htkj6f.raj2.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1xoo0l5.c4joi.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-9t6etm.vgwo.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1i4l4o6.038u.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-a5ub4x.uvl8.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-81nzei.diti.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-16m3di1.vd18.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-2i429a.9bjg2.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1uele68.j76n.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-u7ftvk.9qrj.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-sybdby.6sfz.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-15ecm36.1dif.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1xoo0l5.c4joi.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ukaqr8.q2z7.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-glcoz7.fq93.jpg" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C63.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCF2729A4CBCBE4746881B4B32B874B961.TMP"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-u7ftvk.9qrj.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-glcoz7.fq93.jpg"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D7B.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9CC5ACC7BC6441A19360DD3F92C7CF5E.TMP"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ukaqr8.q2z7.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-l4twz8.idz0f.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-l4twz8.idz0f.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1unp0cw.pqxs.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1unp0cw.pqxs.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-wboqz6.6d0t.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1hvjxce.4w3c.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-wboqz6.6d0t.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-16lv3hb.a1ca.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-tiy6as.kstp.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1etasne.k8no.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1o8klxl.n7hj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-yrizf.ilewwh.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-qdahor.tt7g.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-w89oi9.pv3a.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ny87vr.dk0w.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1olgzjh.qaqt.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1hvjxce.4w3c.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-16lv3hb.a1ca.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-tiy6as.kstp.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1etasne.k8no.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-gtxw8u.pwxxb.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ny87vr.dk0w.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-qdahor.tt7g.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-yrizf.ilewwh.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-w89oi9.pv3a.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-t007bx.ksc2o.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-136m6r7.61py.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1o8klxl.n7hj.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-19s4vpe.5v4t.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1olgzjh.qaqt.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1z0zfop.cr6x.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-t007bx.ksc2o.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-136m6r7.61py.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-gtxw8u.pwxxb.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1tfmjxe.ok6b.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1wumml5.3ebi.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-b8nn1z.w54zf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-12v9aka.ehbw.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-w0r0z4.vmjs9.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-hmh30i.xa4aj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-l12gpb.bq0qh.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-f5yrgm.suex.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-hbstqf.4uiwq.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-10pw00q.3q7q.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-10yj727.4xdm.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-40hezj.5ref6.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1l6ngqz.pegq.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-evpnfw.mg5r.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-hk8ayy.w5uvo.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-l12gpb.bq0qh.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ajehy3.mlt1k.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1wumml5.3ebi.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-f5yrgm.suex.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-hbstqf.4uiwq.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1yd1vwr.swtv.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-10yj727.4xdm.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-10pw00q.3q7q.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1l6ngqz.pegq.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-evpnfw.mg5r.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-hk8ayy.w5uvo.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-40hezj.5ref6.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1vd387m.slcf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-12ok7wp.fg1ll.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-zesah9.ho2w.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1yd1vwr.swtv.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ajehy3.mlt1k.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-se5lpi.9n6q.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-171xkhy.r9x4.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1uj3rqe.ftea.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1vd387m.slcf.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1tfmjxe.ok6b.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1qrjxgu.p2ef.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-12ok7wp.fg1ll.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-zesah9.ho2w.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-19s4vpe.5v4t.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-17hifqb.kca1l.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-b8nn1z.w54zf.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-hmh30i.xa4aj.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-w0r0z4.vmjs9.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-12v9aka.ehbw.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1uj3rqe.ftea.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ewu6c4.w3msf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-lh7366.dgkap.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1qrjxgu.p2ef.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ewu6c4.w3msf.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-143javq.4z12.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-v1fk9x.e7xji.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-143javq.4z12.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-11sf65r.tg2q.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-11sf65r.tg2q.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ypjfp2.wt77e.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1i4tmr1.di7fi.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ypjfp2.wt77e.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1tz07fs.jy9u.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-d52cck.0savs.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1fjxmgn.nwwk.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-14b1ngw.o062.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1671qw2.7i7k.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-yjqsq4.nwl4c.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-b62mca.mo9bk.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1tz07fs.jy9u.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-d52cck.0savs.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1fjxmgn.nwwk.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-14b1ngw.o062.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1671qw2.7i7k.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1z0zfop.cr6x.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-171xkhy.r9x4.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1cyvqh6.hzh8.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-9h4l85.7k8aq.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-f4zioa.nxx7w.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1kj1whr.66fe.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-59why5.dzxpf.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-cv6ktq.r3y46.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1sym48.q42sj.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-165xldr.bhn5g.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ymfe1s.w1zg.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1qvj09k.u21d.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ywqg90.lkfhc.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-dtxw0u.5c9hu.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ywqg90.lkfhc.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-dtxw0u.5c9hu.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-yjqsq4.nwl4c.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1hnpi0h.rjqr.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-8exo5m.xh5gt.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1a7g868.yyc7.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-l0jsdq.54n2.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1c0i2fk.zppek.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ocaz17.8p6um.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-9eplgg.t7jrh.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1ql0ant.o5yp.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-rsh9gb.cxq0r.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-12qldp.svy6j.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-pyofgl.b43d.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-9muoxa.6yl7.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-ocaz17.8p6um.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-75dqoc.ozusy.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-6lc04o.5nib3.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-17wj6pc.2w1u.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-nle9k8.t1j1.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1houl9l.hjob.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-zdlxwe.ejx6n.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-11fv76a.xdpk.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-fxo0ks.6b7t.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-u925gs.tq86.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-omqmkv.4qwg8.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1houl9l.hjob.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1rqyb8k.b9uo.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-tnjbny.g7z8.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1sch6u7.d5m1.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-otch8h.8k2f.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-nle9k8.t1j1.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-3qk8zj.rd9il.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-suj9ho.mwhm.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-fxo0ks.6b7t.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1lk64s.nempb.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-u925gs.tq86.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-qqgiyt.rcxdb.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1rqyb8k.b9uo.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-suj9ho.mwhm.jpg"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1sch6u7.d5m1.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-vj3609.gjjx.jpg" "
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1lk64s.nempb.jpg"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-1xplt5l.9trh.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-m6k89c.qvzpc.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-c0833m.3en4.jpg" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024312-2492-lyx5jz.ntw17.jpg" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | r2---sn-aigzrnse.gvt1.com | udp |
| GB | 74.125.168.199:443 | r2---sn-aigzrnse.gvt1.com | udp |
| GB | 74.125.168.199:443 | r2---sn-aigzrnse.gvt1.com | tcp |
| US | 8.8.8.8:53 | whoevenareyou.equi-hosting.fr | udp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | whoevenareyou.equi-hosting.fr | tcp |
Files
\Users\Admin\AppData\Local\Temp\790d6143-f199-4adf-b508-6209158dfa5d.tmp.node
| MD5 | e4c111d47eb54b62dab8cb12540b9e39 |
| SHA1 | 09be3e7d9eec1853dc628c8c3b90e7b670921029 |
| SHA256 | a05338fe1e0eb08230717ad2f3587a5c1cb4bd10a673c40a3059f70ae0e7e6b1 |
| SHA512 | f9ec1e62c08425382b48320d2fb1a7fa412dea84825cc49b0297d5c6cfdcb80f32c54de28ac59e7a4c7557ae9900a8d3860fc7d23e486bcc28e603787d9f0f79 |
\Users\Admin\AppData\Local\Temp\6d3d941a-850d-4fe2-803d-39afaf192bfa.tmp.node
| MD5 | f1e751eb4dbfa4a1b5f4903315fc535a |
| SHA1 | 85e1166819678f839954c473d7eb363a99e24a96 |
| SHA256 | b8c24de2fa870ceb677f30da0eabdf20745d0a9ebed98f49c52d881383c75096 |
| SHA512 | 2349745a84bc2b2f9c2b96999d48e37242a6c3627d7898cd9a36e682e36ec12553713db7167b3a9cd20ec308ce11d84f09f06beb3e971823d8b4a959f457b182 |
memory/2688-9-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2688-43-0x0000000077B70000-0x0000000077B71000-memory.dmp
memory/2492-44-0x0000000003C70000-0x0000000003C71000-memory.dmp
\Users\Admin\AppData\Local\Temp\51db2967-0f12-4b89-9520-a77883cb64c3.tmp.node
| MD5 | d4e6004197508892d18fc47645b25f62 |
| SHA1 | 1afceda2531e593c00de7ab994f928a150de5b4d |
| SHA256 | dc29d32decbd161ea4ff1e645d3fdf7a1ce3db0ee25e5485bc19fc775922b71c |
| SHA512 | 0be017eaba3764eb9f38e78248528a9e025958e713a8eb4a8f9b03d087267e107ceef8525a4ecfcbb684b077145fb0161e5dbe05f9fd95f8f94a140fe3ceb8a4 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt
| MD5 | dec2be4f1ec3592cea668aa279e7cc9b |
| SHA1 | 327cf8ab0c895e10674e00ea7f437784bb11d718 |
| SHA256 | 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc |
| SHA512 | 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt
| MD5 | 810ae82f863a5ffae14d3b3944252a4e |
| SHA1 | 5393e27113753191436b14f0cafa8acabcfe6b2a |
| SHA256 | 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c |
| SHA512 | 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat
| MD5 | da0f40d84d72ae3e9324ad9a040a2e58 |
| SHA1 | 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f |
| SHA256 | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| SHA512 | 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\CSC59DFE27AB1704E24A55C2756F512C2A3.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
memory/2512-274-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-277-0x0000000006640000-0x0000000006A40000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest
| MD5 | 8951565428aa6644f1505edb592ab38f |
| SHA1 | 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2 |
| SHA256 | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| SHA512 | 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5 |
memory/2512-278-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-279-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-280-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-281-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-282-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-283-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-285-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-288-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-290-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-287-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-286-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-294-0x0000000006A40000-0x0000000007240000-memory.dmp
memory/2512-284-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-295-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-297-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-298-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-299-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-296-0x0000000006A40000-0x0000000007240000-memory.dmp
memory/2512-300-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-302-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-306-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-307-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-308-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-309-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-310-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-311-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-314-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-312-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-318-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-316-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-322-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-323-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-324-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-325-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-326-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-327-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-328-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-329-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-330-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-332-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-348-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-346-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-350-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-351-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-349-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-358-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-357-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-355-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-353-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-360-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-365-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-366-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-367-0x0000000006640000-0x0000000006A40000-memory.dmp
memory/2512-368-0x0000000006640000-0x0000000006A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RESBA1B.tmp
| MD5 | 8e4794231d1dd67ce5341edc68a739d6 |
| SHA1 | 5f5c7679e006b6625f2a4b219cd5d4c496e72054 |
| SHA256 | 0275bfe9424de4f034e0dac4cc3f0269696e5b7d2fb16681ea77af5f92734a88 |
| SHA512 | 079ad8bb9c490b9bc1e4fe56f80a78b9e82fbf564df7241dc75028b482370d284d75abcc977d27c24cdd0eb6cff728e5200f52428063a239a7880b5bccb6f09d |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
| MD5 | c4c5118116860e39a2f3e5e67073f07c |
| SHA1 | d9d4e88931832f7e64f9efc462272a7f1677d4da |
| SHA256 | 58feb3e1cee0756fcdb1a3daec78c1ab7660794ff1aca761c5d01a17527bf934 |
| SHA512 | 4170875439788c089b290401eebf43ca988578aa187ada140d63cd82229039c275ce1e1a2c028cb21f103c152503fc57c35b16b6d629bc0a6c0a0f7a07b1834c |
memory/3208-694-0x0000000000130000-0x000000000013A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RESC776.tmp
| MD5 | a679f930ae4031b632d2648d550e000b |
| SHA1 | 865686073adfe4ae0635f17694c69eff30534325 |
| SHA256 | b40d0144ad533e8e01261a642d16a8bb5de303bc270ec702fccde075b7dc6c4a |
| SHA512 | de011e27fc47135f89d29f6128bbd6005fc37614e3e95471b45e21762c993f71cfbc4641052b5750c0ff0d0699bcd6732e9379a43d5f8dff11473d4699db4527 |
C:\Users\Admin\AppData\Local\Temp\RESF788.tmp
| MD5 | a72f21f06f9323d85fb958c82678c25f |
| SHA1 | eacc91fbf4ea4c58af3a6f6f930e0698de318124 |
| SHA256 | 8c293da88ed3afe812723fe3cd55bdc4ebcf68bdf819c8cccff5ffb662c56114 |
| SHA512 | 5dfb53aaddffdc09e6acbc8d38b357088a592cdf969ebf036d532db914c373cd52134d2a046c42111e0cec3e671fc7489b5c36a3d33238dff146d5d72efd539e |
C:\Users\Admin\AppData\Local\Temp\RESC775.tmp
| MD5 | dd19e97db626e711cac9913e34913340 |
| SHA1 | ad5fca917c5179e5e81776894d612d5051882af5 |
| SHA256 | efb6e6662ad19e6a94f3398b0dc13212ffaddbe617698985c0ca29e391a80dfe |
| SHA512 | 4e0355028ec99190259bd3568ebde677dbbecbfcdffeba44c8ddba7fac43014daf80bf5eb696e0e2b8ce1a475c1f3daccd0839745bd4494d94b8b131d1474455 |
memory/3208-752-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RESC779.tmp
| MD5 | a8f126697da79e8b2f77639259bbc719 |
| SHA1 | 1285b8805f18eb22784deb2faba5da96b98770a4 |
| SHA256 | d84dcd6080055610a83c2e1a485ab0fb467a2bfbddc3bcedcd7253931a73f29b |
| SHA512 | c5622b93a89f63708a56c81ce70f89747a993ca8c52309bd19f9db34e130235d19d8341540d16997b830594c62f772c34ea23d0af6357cd21d23197b33f6859c |
memory/3872-753-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RESC777.tmp
| MD5 | 6d30676b93be639f4b03a7022e55d901 |
| SHA1 | 083d17f8c817430a18e97b1c77780c13cd2017cf |
| SHA256 | 34e83484fc4dab72bdfb715b80326e639c0e93b93a86d81035fcf0728d74b8eb |
| SHA512 | e7682ad39ca6bac9f8c529bdf4effc5fe80fd3ee1e3c4ed0d64195eaac8716e4715d7b640d28caf89656e177d4b147c0851c6d477cf2efa92ac5ae9a1079580e |
memory/3924-773-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024312-2492-7rg6ji.v9wyl.jpg
| MD5 | e0a3f6c161cfb321d6586a8856a7b2c6 |
| SHA1 | c1e686b34205dff903a8e4be1beca8f05fcfe536 |
| SHA256 | a9b602cb6fef293791b61a09b910809377766775064dcc6b43bdfe91cd0bf8c1 |
| SHA512 | 3a4536b8c5a614942c0c5f473272820a13ee438eeb0dcc72fcfd5a2cd14b395209cc9f2297ddcd9966f2c2ab8771e669e1b966651f71d98bf33513f8558d52de |
memory/3940-774-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3948-785-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3956-809-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3128-813-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3844-819-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3864-818-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3260-825-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3192-834-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3916-853-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3932-855-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3828-860-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3092-859-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/4052-874-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3076-832-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3400-889-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3340-895-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3408-890-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/2456-919-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3292-918-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3308-923-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3236-922-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3108-921-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3344-920-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/2276-939-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/2996-928-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3536-999-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3332-1060-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3428-1061-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/4116-1064-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3076-1059-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3300-1058-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/4216-1086-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3404-1089-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/4616-1137-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/4332-1141-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/4300-1146-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp
memory/3132-1186-0x000007FEF2C50000-0x000007FEF363C000-memory.dmp