Resubmissions

29/04/2023, 16:39

230429-t563aadd3x 10

29/04/2023, 16:33

230429-t2xpfadd2v 10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2023, 16:33

General

  • Target

    ValorantLoading0.exe

  • Size

    53.2MB

  • MD5

    528c7fa8598ab0f0cf3ace973391a991

  • SHA1

    1bb881224b1b5400204b1493d1920ad7750064fe

  • SHA256

    2db50e843ecb7e518b6dbf29192158e0b2c3bfacdbe2257be98ad45319bba568

  • SHA512

    5996f3f55f5d77fa877f7377a978c4b132e72311861fabf04dc086f3d8fd6bcc4c5412128ce8cdbd6db349c4587e45c86ed40284aba8e0bbb5fc0ce4da5d3cf1

  • SSDEEP

    1572864:AexVAYy9tDh0FZk7yacONW5h5eekQC32L7:3xY7Dh0F+OacAOh9CGL7

Score
10/10

Malware Config

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ValorantLoading0.exe
    "C:\Users\Admin\AppData\Local\Temp\ValorantLoading0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe
      C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe
        "C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1704,i,12366711285107873264,14070169583911649435,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4760
      • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe
        "C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --mojo-platform-channel-handle=2052 --field-trial-handle=1704,i,12366711285107873264,14070169583911649435,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2472
      • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe
        "C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --app-path="C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2492 --field-trial-handle=1704,i,12366711285107873264,14070169583911649435,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4092
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4740
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:384
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1696
      • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe
        "C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1704,i,12366711285107873264,14070169583911649435,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4244

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\D3DCompiler_47.dll

          Filesize

          3.9MB

          MD5

          ab3be0c427c6e405fad496db1545bd61

          SHA1

          76012f31db8618624bc8b563698b2669365e49cb

          SHA256

          827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

          SHA512

          d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe

          Filesize

          127.7MB

          MD5

          eddf449b4cb68943b945cd402552da0a

          SHA1

          7e158b5db7261b7c55d32f7da8c9ae381b16de59

          SHA256

          cfa4bf7177f97325c0147721b41d9a946905a774849f3778bcb62d0b7bd9d13a

          SHA512

          33d15a92795e671864b7fa4ceb2dfeef5d129aba62b3e968e6cb13c518a0a2a13b48f7504ffde5aad0298ee047dec20abc4135b20ae05d7476eea7777778ecc7

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe

          Filesize

          127.7MB

          MD5

          eddf449b4cb68943b945cd402552da0a

          SHA1

          7e158b5db7261b7c55d32f7da8c9ae381b16de59

          SHA256

          cfa4bf7177f97325c0147721b41d9a946905a774849f3778bcb62d0b7bd9d13a

          SHA512

          33d15a92795e671864b7fa4ceb2dfeef5d129aba62b3e968e6cb13c518a0a2a13b48f7504ffde5aad0298ee047dec20abc4135b20ae05d7476eea7777778ecc7

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe

          Filesize

          127.7MB

          MD5

          eddf449b4cb68943b945cd402552da0a

          SHA1

          7e158b5db7261b7c55d32f7da8c9ae381b16de59

          SHA256

          cfa4bf7177f97325c0147721b41d9a946905a774849f3778bcb62d0b7bd9d13a

          SHA512

          33d15a92795e671864b7fa4ceb2dfeef5d129aba62b3e968e6cb13c518a0a2a13b48f7504ffde5aad0298ee047dec20abc4135b20ae05d7476eea7777778ecc7

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe

          Filesize

          127.7MB

          MD5

          eddf449b4cb68943b945cd402552da0a

          SHA1

          7e158b5db7261b7c55d32f7da8c9ae381b16de59

          SHA256

          cfa4bf7177f97325c0147721b41d9a946905a774849f3778bcb62d0b7bd9d13a

          SHA512

          33d15a92795e671864b7fa4ceb2dfeef5d129aba62b3e968e6cb13c518a0a2a13b48f7504ffde5aad0298ee047dec20abc4135b20ae05d7476eea7777778ecc7

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe

          Filesize

          127.7MB

          MD5

          eddf449b4cb68943b945cd402552da0a

          SHA1

          7e158b5db7261b7c55d32f7da8c9ae381b16de59

          SHA256

          cfa4bf7177f97325c0147721b41d9a946905a774849f3778bcb62d0b7bd9d13a

          SHA512

          33d15a92795e671864b7fa4ceb2dfeef5d129aba62b3e968e6cb13c518a0a2a13b48f7504ffde5aad0298ee047dec20abc4135b20ae05d7476eea7777778ecc7

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ValorantLoading0%.exe

          Filesize

          6.2MB

          MD5

          a2e8e6a0a8a8b5cd4f6053a459d746fd

          SHA1

          3252b68a6e2aea6f0d3ec73a64f4721accabbb3a

          SHA256

          4c88d959f4594910b0c7e3424a10daa1186765e9da25c20b51c1238fed16823f

          SHA512

          0017b0869083871365b5497f9c9990003c566f2cdda4e39727f164ccb93935b4ead3218b80f42df28f7f53ea9c858ba4724bf1c44cc503c7113c9cc3b006a294

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\chrome_100_percent.pak

          Filesize

          126KB

          MD5

          44a69827d4aa75426f3c577af2f8618e

          SHA1

          7bdd115425b05414b64dcdb7d980b92ecd3f15b3

          SHA256

          bca4401b578a6ac0fe793e8519fed82b5444972b7d6c176ec0369ed13beaad7b

          SHA512

          5c7bdf1f1deb72c79b860bf48f16c19cb19b4d861c0b6beb585512ad58b1bc4b64e24edfcd97233e5b91dcd0f63ed1c7b278d22ec062fd0dfe28fe49cae52049

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\chrome_100_percent.pak

          Filesize

          126KB

          MD5

          44a69827d4aa75426f3c577af2f8618e

          SHA1

          7bdd115425b05414b64dcdb7d980b92ecd3f15b3

          SHA256

          bca4401b578a6ac0fe793e8519fed82b5444972b7d6c176ec0369ed13beaad7b

          SHA512

          5c7bdf1f1deb72c79b860bf48f16c19cb19b4d861c0b6beb585512ad58b1bc4b64e24edfcd97233e5b91dcd0f63ed1c7b278d22ec062fd0dfe28fe49cae52049

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\chrome_200_percent.pak

          Filesize

          175KB

          MD5

          9c379fc04a7bf1a853b14834f58c9f4b

          SHA1

          c105120fd00001c9ebdf2b3b981ecccb02f8eefb

          SHA256

          b2c25fb30fee5f04ccdb8bf3c937a667502d266e428425feeb5af964f6167d48

          SHA512

          f28844dba7780e5f5c9d77ac3d29069dfcd6698447d5723886e510eadd51d6285e06adbda06bf4a69f841afc161c764cb2e5b9ad2c92f0a87176709b4acd2c13

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\d3dcompiler_47.dll

          Filesize

          3.9MB

          MD5

          ab3be0c427c6e405fad496db1545bd61

          SHA1

          76012f31db8618624bc8b563698b2669365e49cb

          SHA256

          827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

          SHA512

          d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\debug.log

          Filesize

          524B

          MD5

          780eba0e760835388ce28383807f8505

          SHA1

          28040b9c69cfd527e5a2ec63701a7e6c777d8149

          SHA256

          098346dba0efe715c4529768b1a85562989ced6220808c28135eeee12d4c13e7

          SHA512

          51b212c140077b8f178c31abf6e3fc2d1eb1ed768079c2372777fcea5166d64259b48f9517ab3461f5d39ff499964c04ddb343ebdbc0cbf23e3a1981b799fd8c

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ffmpeg.dll

          Filesize

          2.4MB

          MD5

          2132fad8315a47284cb3ffc75b318b28

          SHA1

          1f41e3b2dbb2dd2f59f3a278bdae715c15a5948a

          SHA256

          5923c9159b33f5645741afef4550a7c3a57283cb6c22b95b677c8d4799d3db29

          SHA512

          f5eeabda49d1938a24a5c8859ca2707368ce874bcee57c658d8b1013572b92687de92159df6b3db0f19e46ae9809873103beba50233b2925ef6ae76855011945

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ffmpeg.dll

          Filesize

          2.4MB

          MD5

          2132fad8315a47284cb3ffc75b318b28

          SHA1

          1f41e3b2dbb2dd2f59f3a278bdae715c15a5948a

          SHA256

          5923c9159b33f5645741afef4550a7c3a57283cb6c22b95b677c8d4799d3db29

          SHA512

          f5eeabda49d1938a24a5c8859ca2707368ce874bcee57c658d8b1013572b92687de92159df6b3db0f19e46ae9809873103beba50233b2925ef6ae76855011945

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ffmpeg.dll

          Filesize

          2.4MB

          MD5

          2132fad8315a47284cb3ffc75b318b28

          SHA1

          1f41e3b2dbb2dd2f59f3a278bdae715c15a5948a

          SHA256

          5923c9159b33f5645741afef4550a7c3a57283cb6c22b95b677c8d4799d3db29

          SHA512

          f5eeabda49d1938a24a5c8859ca2707368ce874bcee57c658d8b1013572b92687de92159df6b3db0f19e46ae9809873103beba50233b2925ef6ae76855011945

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ffmpeg.dll

          Filesize

          2.4MB

          MD5

          2132fad8315a47284cb3ffc75b318b28

          SHA1

          1f41e3b2dbb2dd2f59f3a278bdae715c15a5948a

          SHA256

          5923c9159b33f5645741afef4550a7c3a57283cb6c22b95b677c8d4799d3db29

          SHA512

          f5eeabda49d1938a24a5c8859ca2707368ce874bcee57c658d8b1013572b92687de92159df6b3db0f19e46ae9809873103beba50233b2925ef6ae76855011945

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ffmpeg.dll

          Filesize

          2.4MB

          MD5

          2132fad8315a47284cb3ffc75b318b28

          SHA1

          1f41e3b2dbb2dd2f59f3a278bdae715c15a5948a

          SHA256

          5923c9159b33f5645741afef4550a7c3a57283cb6c22b95b677c8d4799d3db29

          SHA512

          f5eeabda49d1938a24a5c8859ca2707368ce874bcee57c658d8b1013572b92687de92159df6b3db0f19e46ae9809873103beba50233b2925ef6ae76855011945

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\ffmpeg.dll

          Filesize

          2.4MB

          MD5

          2132fad8315a47284cb3ffc75b318b28

          SHA1

          1f41e3b2dbb2dd2f59f3a278bdae715c15a5948a

          SHA256

          5923c9159b33f5645741afef4550a7c3a57283cb6c22b95b677c8d4799d3db29

          SHA512

          f5eeabda49d1938a24a5c8859ca2707368ce874bcee57c658d8b1013572b92687de92159df6b3db0f19e46ae9809873103beba50233b2925ef6ae76855011945

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\icudtl.dat

          Filesize

          10.0MB

          MD5

          cf9421b601645bda331c7136a0a9c3f8

          SHA1

          9950d66df9022f1caa941ab0e9647636f7b7a286

          SHA256

          8d8a74ca376338623170d59c455476218d5a667d5991a52556aa9c9a70ebc5e5

          SHA512

          bc9601e2b4ab28130bfadfd6f61b3ed500deb0bd235dc5ca94999c09f59d10bdcbf278869a9802f918830041f620c88e2c3b506608ade661db48ccd84c1977eb

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\libEGL.dll

          Filesize

          367KB

          MD5

          5c70cc094fc6e108a5689c88f1144a51

          SHA1

          460b668e4301e774b79b182756db25fb0b7c206e

          SHA256

          c99a051b9d73bc638d593561ea7ed499db689420b51d5945a618579a26cb0b42

          SHA512

          3943bb1bbbe683a4d2a43609d78dec9b70b58f542f88aa783080732201650b38bd0a3e6936439cfadc211c51512da9680999d6e4f7deb077096988b6878124e7

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\libGLESv2.dll

          Filesize

          6.2MB

          MD5

          7b2ce44ad89a57b1183d36e89fd0357f

          SHA1

          178f7ed96f5c879b08729acff45bc50cd2ed64c7

          SHA256

          9072dc08a094f4669e50ac1d062e1e0ee53714eec67a2e7fc0dd2de832239701

          SHA512

          9d2909023d60564c8ab65cb1668e52b715c37df22bef480e5efa3218b1fad8777acaeae7a17b385e2dda2f3dc0e051ec157ec73b56cef1aff2b8a2281ef7ba41

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\libegl.dll

          Filesize

          367KB

          MD5

          5c70cc094fc6e108a5689c88f1144a51

          SHA1

          460b668e4301e774b79b182756db25fb0b7c206e

          SHA256

          c99a051b9d73bc638d593561ea7ed499db689420b51d5945a618579a26cb0b42

          SHA512

          3943bb1bbbe683a4d2a43609d78dec9b70b58f542f88aa783080732201650b38bd0a3e6936439cfadc211c51512da9680999d6e4f7deb077096988b6878124e7

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\libglesv2.dll

          Filesize

          6.2MB

          MD5

          7b2ce44ad89a57b1183d36e89fd0357f

          SHA1

          178f7ed96f5c879b08729acff45bc50cd2ed64c7

          SHA256

          9072dc08a094f4669e50ac1d062e1e0ee53714eec67a2e7fc0dd2de832239701

          SHA512

          9d2909023d60564c8ab65cb1668e52b715c37df22bef480e5efa3218b1fad8777acaeae7a17b385e2dda2f3dc0e051ec157ec73b56cef1aff2b8a2281ef7ba41

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\resources\app.asar

          Filesize

          51.2MB

          MD5

          da5450df07fb87578c50f8eaa285c061

          SHA1

          449fbd7d4d1bede8e332d23680356c288dc67b29

          SHA256

          40e5407156eaf70e89d953f39314196c9f0a909ad64a3e511812f2358c697089

          SHA512

          cb035593dbf7766e0afe8494493069c89c9bd1587124b17449ead9085d0bdefcc069dadd47296fa46f3918f2edfa114e8eac7ad4d7b54c25ef01b08a27bc894e

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\v8_context_snapshot.bin

          Filesize

          590KB

          MD5

          60beed67e605fdbe79d2735f59113a93

          SHA1

          6cd5625c6dfb8a16b619490890e38c6da902b43e

          SHA256

          ffc7423ee2a75a420118465181e9307c6b7b2df5e40d7e4018dec07a9c6bab11

          SHA512

          1f4bff04464fab0c149344529903aa805c7c03b7f8c21b5f959c7c7ff11802d07079e069d3b8e8a63f409a4541b3aac4b695c535228c4a89b15c8033567d645f

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\vk_swiftshader.dll

          Filesize

          4.2MB

          MD5

          dd3a757828c6cc214fac84486f69ba8e

          SHA1

          5f79beada6f80c903b5d1c04f0eb30e8acd396a2

          SHA256

          baf14a4d3a28ac7ceab2a750a49bbc5d3259856c16ee160a444b92b8de908e9c

          SHA512

          9d4943c76f828bb61162517acc50cb34cb181f155e8ddcaa293f493354789fa3ace21eabca833d407aa0c83b89fa7661cb6739f147c3002972d1db364ab4828e

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\vk_swiftshader.dll

          Filesize

          4.2MB

          MD5

          dd3a757828c6cc214fac84486f69ba8e

          SHA1

          5f79beada6f80c903b5d1c04f0eb30e8acd396a2

          SHA256

          baf14a4d3a28ac7ceab2a750a49bbc5d3259856c16ee160a444b92b8de908e9c

          SHA512

          9d4943c76f828bb61162517acc50cb34cb181f155e8ddcaa293f493354789fa3ace21eabca833d407aa0c83b89fa7661cb6739f147c3002972d1db364ab4828e

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\vk_swiftshader.dll

          Filesize

          4.2MB

          MD5

          dd3a757828c6cc214fac84486f69ba8e

          SHA1

          5f79beada6f80c903b5d1c04f0eb30e8acd396a2

          SHA256

          baf14a4d3a28ac7ceab2a750a49bbc5d3259856c16ee160a444b92b8de908e9c

          SHA512

          9d4943c76f828bb61162517acc50cb34cb181f155e8ddcaa293f493354789fa3ace21eabca833d407aa0c83b89fa7661cb6739f147c3002972d1db364ab4828e

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\vk_swiftshader_icd.json

          Filesize

          106B

          MD5

          8642dd3a87e2de6e991fae08458e302b

          SHA1

          9c06735c31cec00600fd763a92f8112d085bd12a

          SHA256

          32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

          SHA512

          f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\vulkan-1.dll

          Filesize

          744KB

          MD5

          bb7496239e0f1b44c935df3954c3fc42

          SHA1

          d063da60766682cf40b690bc03094e5c7ebd8669

          SHA256

          e125930a96f0bcb36287932ceb3676d44e5c5e6a9e8ab6ca6ca60faa833f3d9c

          SHA512

          7b8fecee987d1f551f1d66446348c62601784977ccdca302f5173f049972271f341ec05a0de6c1eee4f2e8cb761538dd7cea03d1364920a5b1dddf02a397a324

        • C:\Users\Admin\AppData\Local\Temp\2OIDCWpUM44eIF3n6HMYG8tBkzz\vulkan-1.dll

          Filesize

          744KB

          MD5

          bb7496239e0f1b44c935df3954c3fc42

          SHA1

          d063da60766682cf40b690bc03094e5c7ebd8669

          SHA256

          e125930a96f0bcb36287932ceb3676d44e5c5e6a9e8ab6ca6ca60faa833f3d9c

          SHA512

          7b8fecee987d1f551f1d66446348c62601784977ccdca302f5173f049972271f341ec05a0de6c1eee4f2e8cb761538dd7cea03d1364920a5b1dddf02a397a324

        • C:\Users\Admin\AppData\Local\Temp\5297f945-91a8-4e82-bf1a-9a73ab02874f.tmp.node

          Filesize

          2.1MB

          MD5

          566b70feb8fce14caa4c18c08ce7f5f2

          SHA1

          f2ebbadcf5914860f0041cae0e0562879d3e8af5

          SHA256

          66bcc5fb47acb03d1d4e6d37553d80bc087b92e405c4392631d8c5e34d773097

          SHA512

          35d63d6cd0c1cfe9b58037bc382f84247a762994e2a09eb9e8a2a4c622845c5ada8c7874d3ebc25f3e59faca6f3052897a81394e07e17b71ddc4686e2df9925d

        • C:\Users\Admin\AppData\Local\Temp\b47109e8-94c0-4669-9580-4b23d131cf1c.tmp.node

          Filesize

          120KB

          MD5

          aa7eb1ed50471e76e52494e9ecf56e88

          SHA1

          b5cdfc7ca8fdfae7be282852d206966dcb88700d

          SHA256

          1544875269095605b5ef42195f86e785972cb6bef187a39fc388f46b6beb2ba2

          SHA512

          37b5714542b4cafc88646e535f8b55b5a0d0afeb5aa4c39624494d37727c9763f903a24c7844c03736aabede062f226bd90e8c99edfd657742a9f61379d5ecff

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\ValorantLoading0%.exe

          Filesize

          127.7MB

          MD5

          eddf449b4cb68943b945cd402552da0a

          SHA1

          7e158b5db7261b7c55d32f7da8c9ae381b16de59

          SHA256

          cfa4bf7177f97325c0147721b41d9a946905a774849f3778bcb62d0b7bd9d13a

          SHA512

          33d15a92795e671864b7fa4ceb2dfeef5d129aba62b3e968e6cb13c518a0a2a13b48f7504ffde5aad0298ee047dec20abc4135b20ae05d7476eea7777778ecc7

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\chrome_200_percent.pak

          Filesize

          175KB

          MD5

          9c379fc04a7bf1a853b14834f58c9f4b

          SHA1

          c105120fd00001c9ebdf2b3b981ecccb02f8eefb

          SHA256

          b2c25fb30fee5f04ccdb8bf3c937a667502d266e428425feeb5af964f6167d48

          SHA512

          f28844dba7780e5f5c9d77ac3d29069dfcd6698447d5723886e510eadd51d6285e06adbda06bf4a69f841afc161c764cb2e5b9ad2c92f0a87176709b4acd2c13

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\d3dcompiler_47.dll

          Filesize

          3.9MB

          MD5

          ab3be0c427c6e405fad496db1545bd61

          SHA1

          76012f31db8618624bc8b563698b2669365e49cb

          SHA256

          827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

          SHA512

          d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\ffmpeg.dll

          Filesize

          2.4MB

          MD5

          2132fad8315a47284cb3ffc75b318b28

          SHA1

          1f41e3b2dbb2dd2f59f3a278bdae715c15a5948a

          SHA256

          5923c9159b33f5645741afef4550a7c3a57283cb6c22b95b677c8d4799d3db29

          SHA512

          f5eeabda49d1938a24a5c8859ca2707368ce874bcee57c658d8b1013572b92687de92159df6b3db0f19e46ae9809873103beba50233b2925ef6ae76855011945

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\icudtl.dat

          Filesize

          10.0MB

          MD5

          cf9421b601645bda331c7136a0a9c3f8

          SHA1

          9950d66df9022f1caa941ab0e9647636f7b7a286

          SHA256

          8d8a74ca376338623170d59c455476218d5a667d5991a52556aa9c9a70ebc5e5

          SHA512

          bc9601e2b4ab28130bfadfd6f61b3ed500deb0bd235dc5ca94999c09f59d10bdcbf278869a9802f918830041f620c88e2c3b506608ade661db48ccd84c1977eb

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\libEGL.dll

          Filesize

          367KB

          MD5

          5c70cc094fc6e108a5689c88f1144a51

          SHA1

          460b668e4301e774b79b182756db25fb0b7c206e

          SHA256

          c99a051b9d73bc638d593561ea7ed499db689420b51d5945a618579a26cb0b42

          SHA512

          3943bb1bbbe683a4d2a43609d78dec9b70b58f542f88aa783080732201650b38bd0a3e6936439cfadc211c51512da9680999d6e4f7deb077096988b6878124e7

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\libGLESv2.dll

          Filesize

          6.2MB

          MD5

          7b2ce44ad89a57b1183d36e89fd0357f

          SHA1

          178f7ed96f5c879b08729acff45bc50cd2ed64c7

          SHA256

          9072dc08a094f4669e50ac1d062e1e0ee53714eec67a2e7fc0dd2de832239701

          SHA512

          9d2909023d60564c8ab65cb1668e52b715c37df22bef480e5efa3218b1fad8777acaeae7a17b385e2dda2f3dc0e051ec157ec73b56cef1aff2b8a2281ef7ba41

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\resources\app.asar

          Filesize

          51.2MB

          MD5

          da5450df07fb87578c50f8eaa285c061

          SHA1

          449fbd7d4d1bede8e332d23680356c288dc67b29

          SHA256

          40e5407156eaf70e89d953f39314196c9f0a909ad64a3e511812f2358c697089

          SHA512

          cb035593dbf7766e0afe8494493069c89c9bd1587124b17449ead9085d0bdefcc069dadd47296fa46f3918f2edfa114e8eac7ad4d7b54c25ef01b08a27bc894e

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\resources\elevate.exe

          Filesize

          105KB

          MD5

          792b92c8ad13c46f27c7ced0810694df

          SHA1

          d8d449b92de20a57df722df46435ba4553ecc802

          SHA256

          9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

          SHA512

          6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\snapshot_blob.bin

          Filesize

          290KB

          MD5

          c2cf86c9046343131080edf914f69eba

          SHA1

          10bb7f1a96fdbcd4d5cd7a0ec2477f3c0354eed7

          SHA256

          7209863f22740b465301ce82919a042df5dbb7a7c50828643c9cd2e1e8802496

          SHA512

          d78ffcdcc9ca77c1405f3e98ba5b5b7a56c39bd06d923f39a4df9e56aba3af8afd1ebd8f09a85b5f2c71c9c2e5843d9e724ca3475693966dcfab1c7703c6c06d

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\v8_context_snapshot.bin

          Filesize

          590KB

          MD5

          60beed67e605fdbe79d2735f59113a93

          SHA1

          6cd5625c6dfb8a16b619490890e38c6da902b43e

          SHA256

          ffc7423ee2a75a420118465181e9307c6b7b2df5e40d7e4018dec07a9c6bab11

          SHA512

          1f4bff04464fab0c149344529903aa805c7c03b7f8c21b5f959c7c7ff11802d07079e069d3b8e8a63f409a4541b3aac4b695c535228c4a89b15c8033567d645f

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\vk_swiftshader.dll

          Filesize

          4.2MB

          MD5

          dd3a757828c6cc214fac84486f69ba8e

          SHA1

          5f79beada6f80c903b5d1c04f0eb30e8acd396a2

          SHA256

          baf14a4d3a28ac7ceab2a750a49bbc5d3259856c16ee160a444b92b8de908e9c

          SHA512

          9d4943c76f828bb61162517acc50cb34cb181f155e8ddcaa293f493354789fa3ace21eabca833d407aa0c83b89fa7661cb6739f147c3002972d1db364ab4828e

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\vk_swiftshader_icd.json

          Filesize

          106B

          MD5

          8642dd3a87e2de6e991fae08458e302b

          SHA1

          9c06735c31cec00600fd763a92f8112d085bd12a

          SHA256

          32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

          SHA512

          f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\7z-out\vulkan-1.dll

          Filesize

          744KB

          MD5

          bb7496239e0f1b44c935df3954c3fc42

          SHA1

          d063da60766682cf40b690bc03094e5c7ebd8669

          SHA256

          e125930a96f0bcb36287932ceb3676d44e5c5e6a9e8ab6ca6ca60faa833f3d9c

          SHA512

          7b8fecee987d1f551f1d66446348c62601784977ccdca302f5173f049972271f341ec05a0de6c1eee4f2e8cb761538dd7cea03d1364920a5b1dddf02a397a324

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\StdUtils.dll

          Filesize

          100KB

          MD5

          c6a6e03f77c313b267498515488c5740

          SHA1

          3d49fc2784b9450962ed6b82b46e9c3c957d7c15

          SHA256

          b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

          SHA512

          9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\System.dll

          Filesize

          12KB

          MD5

          0d7ad4f45dc6f5aa87f606d0331c6901

          SHA1

          48df0911f0484cbe2a8cdd5362140b63c41ee457

          SHA256

          3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

          SHA512

          c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

        • C:\Users\Admin\AppData\Local\Temp\nsp7AB4.tmp\nsis7z.dll

          Filesize

          424KB

          MD5

          80e44ce4895304c6a3a831310fbf8cd0

          SHA1

          36bd49ae21c460be5753a904b4501f1abca53508

          SHA256

          b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

          SHA512

          c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

        • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

          Filesize

          2B

          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        • C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx\Network\Network Persistent State

          Filesize

          387B

          MD5

          71cfff55928da642b385ae2c7a825608

          SHA1

          5a856e54fcd6f44616746148d216962f23f18a7f

          SHA256

          12724db5c3079cf4a6cc7f6a0719424f45b701ff852eaaea92f580840cf86ea5

          SHA512

          ee13b712eb49c881dd02e8392556684e5999d61d73859b833de4b7b3b1a2dc4233dc7293a7ffeb3475f3278e9770f3eae025aa0139b0598d8061ffc052ccbb23

        • C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx\Network\Network Persistent State~RFe588b63.TMP

          Filesize

          59B

          MD5

          2800881c775077e1c4b6e06bf4676de4

          SHA1

          2873631068c8b3b9495638c865915be822442c8b

          SHA256

          226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

          SHA512

          e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

        • C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx\Preferences

          Filesize

          161B

          MD5

          900285fad35d5c196db1d860d68a7466

          SHA1

          855c9525d93856a51408d10c06896b0c700b3418

          SHA256

          a118fa389921f46014264c8ad2ff727f0968e1243f807c0d4eed7983f12e6ad6

          SHA512

          9a48b5ab6223dc625afd946c8a4f7eacec39b9e118e1db2d6dd670ae57e15a0ace374558ae8cb256c6fd4f7bb7c2c1ea7fcf1a7dc9be4b854aa121dd3c37d283

        • C:\Users\Admin\AppData\Roaming\xxxxxxxxxxxxxxxx\Preferences~RFe57a856.TMP

          Filesize

          86B

          MD5

          d11dedf80b85d8d9be3fec6bb292f64b

          SHA1

          aab8783454819cd66ddf7871e887abdba138aef3

          SHA256

          8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

          SHA512

          6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0