Analysis Overview
SHA256
5edf8176976a7ebaf33bae8acd9aab635fe69d1f242afcadb6ea6e54db88fe60
Threat Level: Shows suspicious behavior
The file SetupFile 1.0.0.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
An obfuscated cmd.exe command-line is typically used to evade detection.
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates processes with tasklist
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 21:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:42
Platform
win7-20240221-en
Max time kernel
118s
Max time network
136s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2224 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2224 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2224 -s 92
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:40
Platform
win7-20240221-en
Max time kernel
46s
Max time network
16s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1636 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | C:\ProgramData\Epic\Launcher\SetupFile.exe |
| PID 1636 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | C:\ProgramData\Epic\Launcher\SetupFile.exe |
| PID 1636 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | C:\ProgramData\Epic\Launcher\SetupFile.exe |
| PID 1636 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | C:\ProgramData\Epic\Launcher\SetupFile.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe"
C:\ProgramData\Epic\Launcher\SetupFile.exe
C:\ProgramData\Epic\Launcher\SetupFile.exe
Network
Files
\Users\Admin\AppData\Local\Temp\nst1640.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nst1640.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\chrome_100_percent.pak
| MD5 | 8626e1d68e87f86c5b4dabdf66591913 |
| SHA1 | 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c |
| SHA256 | 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59 |
| SHA512 | 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\chrome_200_percent.pak
| MD5 | 48515d600258d60019c6b9c6421f79f6 |
| SHA1 | 0ef0b44641d38327a360aa6954b3b6e5aab2af16 |
| SHA256 | 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce |
| SHA512 | b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\d3dcompiler_47.dll
| MD5 | a182e52b0d0bf8232ad4212f18c0b203 |
| SHA1 | 17888c60da33c9cb25ee460d7e63e2d833ca1d6a |
| SHA256 | f84a8662d9872c908bf7655637883f76027774779b1e60a14293554d7f338da3 |
| SHA512 | 3bd9f8e5f0d4e8dbe86312cade4413d3f659741f345d146ee400ed454ab5ec33c2869ddabe53c6dfc16821bd9068b6438d7de80906ea4c88cb18db06f63b3cda |
C:\ProgramData\Epic\Launcher\ffmpeg.dll
| MD5 | d49e7a8f096ad4722bd0f6963e0efc08 |
| SHA1 | 6835f12391023c0c7e3c8cc37b0496e3a93a5985 |
| SHA256 | f11576bf7ffbc3669d1a5364378f35a1ed0811b7831528b6c4c55b0cdc7dc014 |
| SHA512 | ca50c28d6aac75f749ed62eec8acbb53317f6bdcef8794759af3fad861446de5b7fa31622ce67a347949abb1098eccb32689b4f1c54458a125bc46574ad51575 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\icudtl.dat
| MD5 | 5c73d8e2307c9ddab7dac68a96d15298 |
| SHA1 | 362307690d7a0cfd6d2806fa8bbc0128deb37f3d |
| SHA256 | bdc376d3f2f2c7f9fe587b3ceb85ebb9fe528f16232f0dacb8ffa9efa440e00c |
| SHA512 | 4c0151fa2f6ecf8850b1a69a42c248d07159827206e50707a90d91a9050d2214900933c794c7a4d97d83b185a0d3c20357bda776aba040454b32dbe8e779c5b6 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\libEGL.dll
| MD5 | 09134e6b407083baaedf9a8c0bce68f2 |
| SHA1 | 8847344cceeab35c1cdf8637af9bd59671b4e97d |
| SHA256 | d2107ba0f4e28e35b22837c3982e53784d15348795b399ad6292d0f727986577 |
| SHA512 | 6ff3adcb8be48d0b505a3c44e6550d30a8feaf4aa108982a7992ed1820c06f49e0ad48d9bd92685fb82783dfd643629bd1fe4073300b61346b63320cbdb051ba |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\libGLESv2.dll
| MD5 | 5b1d920589377e3469cc6bd52a0a86f0 |
| SHA1 | ddc373fe3b86ce24258f09dc43ae2bb2a58d7819 |
| SHA256 | aaab5daa7cbf95866a3852e432e8e4e141dd014c0bfa07a3f5150f0a11c8f5dd |
| SHA512 | 7de7198812b64c96ad270479bb804a5469e5f6991f6a54ebfcf36a7df9bbf85946a75404eb78e8b13a53d311a88f06d61b0e2e28202f7510a807907d9716e097 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\LICENSES.chromium.html
| MD5 | 4c8e54c11cff624102efb72e79e0f823 |
| SHA1 | 110cb9fa2baad2f3ddfc09ae94d92e41d6c14032 |
| SHA256 | 632f1ebf7cd09c0db6d4a8ac0ff9b13f66d1f20dd22ad0b0ce2731564cb01933 |
| SHA512 | 9b696d6c92bfd3b661fc80787256c3f29a8acd93605956a6f2b74cce0b4bdf6424bceb201a28d1c6d9dae1b9dd61edb22eb540a63271550268210328ef7ff3b9 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\resources.pak
| MD5 | 45f944ca643855956293cdcf6fdd4993 |
| SHA1 | 75fe0426367a3b9f5a17914cf94ee67366c4b657 |
| SHA256 | b1ca772aef0e8a36dab66b3157a985e44510b48e0f54cb576ab4bceb95d6bd20 |
| SHA512 | deee47bb89a8073639cb2c097b66b23f5e81f2e980a6000a7d6e3e7153f81f403e95e20f72956ab126a194e98623206fb4fc5f0f9ccd0a089ea665d26c97b4b6 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\vk_swiftshader.dll
| MD5 | 228aa6f8fd0bdb09fedba424e5bfe66e |
| SHA1 | fdda42af3e6d69669e8bf5095be0874fe38f27bf |
| SHA256 | 097e59d5985bc4e7231119a97402e973d292b9f2fc945de59a56722fcdbe77e8 |
| SHA512 | a8fe68b4a114f9c4d3a12ae80a660aa753405b9a69aac08f9bb151d5ed82cec7dbe83cf80ab624c1b27b818c0670a9b049a6158da4a61f55eb8be3b2a1bbb2c4 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\snapshot_blob.bin
| MD5 | 8fef5a96dbcc46887c3ff392cbdb1b48 |
| SHA1 | ed592d75222b7828b7b7aab97b83516f60772351 |
| SHA256 | 4de0f720c416776423add7ada621da95d0d188d574f08e36e822ad10d85c3ece |
| SHA512 | e52c7820c69863ecc1e3b552b7f20da2ad5492b52cac97502152ebff45e7a45b00e6925679fd7477cdc79c68b081d6572eeed7aed773416d42c9200accc7230e |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\SetupFile.exe
| MD5 | 9f2b49fd35031dbcb93514fc9821c1b3 |
| SHA1 | 8f7e07d47155a675db780b6279f98d1ce803a5f1 |
| SHA256 | 4bf87b43f510a6a26b0e0e74d169860fed0220e9f33db2f794cd86e3f1f1785a |
| SHA512 | 41450ae7ab572e4d75d0cd68930f8fdb99fa69bafe3c0a7f788c160c270110d68184d255896c7532eec9ddbc1b918e6a81b44d5e9161e2499a3e24a81c304d88 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\v8_context_snapshot.bin
| MD5 | a373d83d4c43ba957693ad57172a251b |
| SHA1 | 8e0fdb714df2f4cb058beb46c06aa78f77e5ff86 |
| SHA256 | 43b58ca4057cf75063d3b4a8e67aa9780d9a81d3a21f13c64b498be8b3ba6e0c |
| SHA512 | 07fbd84dc3e0ec1536ccb54d5799d5ed61b962251ece0d48e18b20b0fc9dd92de06e93957f3efc7d9bed88db7794fe4f2bec1e9b081825e41c6ac3b4f41eab18 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\vulkan-1.dll
| MD5 | 0e4e0f481b261ea59f196e5076025f77 |
| SHA1 | c73c1f33b5b42e9d67d819226db69e60d2262d7b |
| SHA256 | f681844896c084d2140ac210a974d8db099138fe75edb4df80e233d4b287196a |
| SHA512 | e6127d778ec73acbeb182d42e5cf36c8da76448fbdab49971de88ec4eb13ce63140a2a83fc3a1b116e41f87508ff546c0d7c042b8f4cdd9e07963801f3156ba2 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\af.pak
| MD5 | 464e5eeaba5eff8bc93995ba2cb2d73f |
| SHA1 | 3b216e0c5246c874ad0ad7d3e1636384dad2255d |
| SHA256 | 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1 |
| SHA512 | 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\bg.pak
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\bn.pak
| MD5 | 9340520696e7cb3c2495a78893e50add |
| SHA1 | eed5aeef46131e4c70cd578177c527b656d08586 |
| SHA256 | 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39 |
| SHA512 | 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ar.pak
| MD5 | fdbad4c84ac66ee78a5c8dd16d259c43 |
| SHA1 | 3ce3cd751bb947b19d004bd6916b67e8db5017ac |
| SHA256 | a62b848a002474a8ea37891e148cbaf4af09bdba7dafebdc0770c9a9651f7e3b |
| SHA512 | 376519c5c2e42d21acedb1ef47184691a2f286332451d5b8d6aac45713861f07c852fb93bd9470ff5ee017d6004aba097020580f1ba253a5295ac1851f281e13 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\am.pak
| MD5 | 2c933f084d960f8094e24bee73fa826c |
| SHA1 | 91dfddc2cff764275872149d454a8397a1a20ab1 |
| SHA256 | fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450 |
| SHA512 | 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\cs.pak
| MD5 | eeee212072ea6589660c9eb216855318 |
| SHA1 | d50f9e6ca528725ced8ac186072174b99b48ea05 |
| SHA256 | de92f14480770401e39e22dcf3dd36de5ad3ed22e44584c31c37cd99e71c4a43 |
| SHA512 | ea068186a2e611fb98b9580f2c5ba6fd1f31b532e021ef9669e068150c27deee3d60fd9ff7567b9eb5d0f98926b24defabc9b64675b49e02a6f10e71bb714ac8 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\el.pak
| MD5 | e66a75680f21ce281995f37099045714 |
| SHA1 | d553e80658ee1eea5b0912db1ecc4e27b0ed4790 |
| SHA256 | 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f |
| SHA512 | d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\et.pak
| MD5 | ccc71f88984a7788c8d01add2252d019 |
| SHA1 | 6a87752eac3044792a93599428f31d25debea369 |
| SHA256 | d69489a723b304e305cb1767e6c8da5d5d1d237e50f6ddc76e941dcb01684944 |
| SHA512 | d35ccd639f2c199862e178a9fab768d7db10d5a654bc3bc1fab45d00ceb35a01119a5b4d199e2db3c3576f512b108f4a1df7faf6624d961c0fc4bca5af5f0e07 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\fr.pak
| MD5 | 3ee48a860ecf45bafa63c9284dfd63e2 |
| SHA1 | 1cb51d14964f4dced8dea883bf9c4b84a78f8eb6 |
| SHA256 | 1923e0edf1ef6935a4a718e3e2fc9a0a541ea0b4f3b27553802308f9fd4fc807 |
| SHA512 | eb6105faca13c191fef0c51c651a406b1da66326bb5705615770135d834e58dee9bed82aa36f2dfb0fe020e695c192c224ec76bb5c21a1c716e5f26dfe02f763 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\hu.pak
| MD5 | 2aa0a175df21583a68176742400c6508 |
| SHA1 | 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a |
| SHA256 | b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72 |
| SHA512 | 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ko.pak
| MD5 | d6194fc52e962534b360558061de2a25 |
| SHA1 | 98ed833f8c4beac685e55317c452249579610ff8 |
| SHA256 | 1a5884bd6665b2f404b7328de013522ee7c41130e57a53038fc991ec38290d21 |
| SHA512 | 5207a07426c6ceb78f0504613b6d2b8dadf9f31378e67a61091f16d72287adbc7768d1b7f2a923369197e732426d15a872c091cf88680686581d48a7f94988ab |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\pl.pak
| MD5 | f1d48a7dcd4880a27e39b7561b6eb0ab |
| SHA1 | 353c3ba213cd2e1f7423c6ba857a8d8be40d8302 |
| SHA256 | 2593c8b59849fbc690cbd513f06685ea3292cd0187fcf6b9069cbf3c9b0e8a85 |
| SHA512 | 132da2d3c1a4dad5ccb399b107d7b6d9203a4b264ef8a65add11c5e8c75859115443e1c65ece2e690c046a82687829f54ec855f99d4843f859ab1dd7c71f35a5 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ru.pak
| MD5 | 2885bde990ee3b30f2c54a4067421b68 |
| SHA1 | ae16c4d534b120fdd68d33c091a0ec89fd58793f |
| SHA256 | 9fcda0d1fab7fff7e2f27980de8d94ff31e14287f58bd5d35929de5dd9cbcdca |
| SHA512 | f7781f5c07fbf128399b88245f35055964ff0cde1cc6b35563abc64f520971ce9916827097ca18855b46ec6397639f5416a6e8386a9390afba4332d47d21693f |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\zh-TW.pak
| MD5 | 2456bf42275f15e016689da166df9008 |
| SHA1 | 70f7de47e585dfea3f5597b5bba1f436510decd7 |
| SHA256 | adf8df051b55507e5a79fa47ae88c7f38707d02dfac0cc4a3a7e8e17b58c6479 |
| SHA512 | 7e622afa15c70785aaf7c19604d281efe0984f621d6599058c97c19d3c0379b2ee2e03b3a7ec597040a4eee250a782d7ec55c335274dd7db7c7ca97ddcfd378a |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\resources\app.asar
| MD5 | f07ef66b5100e6ef14979311c831c625 |
| SHA1 | 2f7d5f7e68fc229713b157855ae069ca56b6fd2c |
| SHA256 | 76b64ef0a1814667694ab91832461a0110e5dd1e0b4e9ac07c030aeeb88d7771 |
| SHA512 | 52b6f6919de380bbb13531ff7c188f4f8176845625e0b66f9148f99bb4135135645341ca2416c0c0f2c3035db84c5a2846c1ced2be6f74aaaa075c30756054d0 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\zh-CN.pak
| MD5 | 82326e465e3015c64ca1db77dc6a56bc |
| SHA1 | e8abe12a8dd2cc741b9637fa8f0e646043bbfe3d |
| SHA256 | 6655fd9dcdfaf2abf814ffb6c524d67495aed4d923a69924c65abeab30bc74fb |
| SHA512 | 4989789c0b2439666dda4c4f959dffc0ddcb77595b1f817c13a95ed97619c270151597160320b3f2327a7daffc8b521b68878f9e5e5fb3870eb0c43619060407 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\vi.pak
| MD5 | db0eb3183007de5aae10f934fffacc59 |
| SHA1 | e9ea7aeffe2b3f5cf75ab78630da342c6f8b7fd9 |
| SHA256 | ddabb225b671b989789e9c2ccd1b5a8f22141a7d9364d4e6ee9b8648305e7897 |
| SHA512 | 703efd12fcace8172c873006161712de1919572c58d98b11de7834c5628444229f5143d231c41da5b9cf729e32de58dee3603cb3d18c6cdd94aa9aa36fbf5de0 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ur.pak
| MD5 | 1ca4fa13bd0089d65da7cd2376feb4c6 |
| SHA1 | b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c |
| SHA256 | 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f |
| SHA512 | d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\uk.pak
| MD5 | 361a0e1f665b9082a457d36209b92a25 |
| SHA1 | 3c89e1b70b51820bb6baa64365c64da6a9898e2f |
| SHA256 | bd02966f6c6258b66eae7ff014710925e53fe26e8254d7db4e9147266025cc3a |
| SHA512 | d4d25fc58053f8cce4c073846706dc1ecbc0dc19308ba35501e19676f3e7ed855d7b57ae22a5637f81cefc1aa032bf8770d0737df1924f3504813349387c08cf |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\tr.pak
| MD5 | 5ff2e5c95067a339e3d6b8985156ec1f |
| SHA1 | 7525b25c7b07f54b63b6459a0d8c8c720bd8a398 |
| SHA256 | 14a131ba318274cf10de533a19776db288f08a294cf7e564b7769fd41c7f2582 |
| SHA512 | 2414386df8d7ab75dcbd6ca2b9ae62ba8e953ddb8cd8661a9f984eb5e573637740c7a79050b2b303af3d5b1d4d1bb21dc658283638718fdd04fc6e5891949d1b |
\ProgramData\Epic\Launcher\SetupFile.exe
| MD5 | 72282850083c4fe4a090a881d36e50c6 |
| SHA1 | 8726c6dc8310237f6705ec25c1cb65c8a48490ae |
| SHA256 | 1e4496d5c4b269e93d44194d4674199fd8286b3c0b256466f1621f2fb74f9d35 |
| SHA512 | f75ffcbdca07041fa94d6b95c823d3b66cc441bb20f2c8c10a15519f30d694af89f0372498c8fa0821d7e2d8c9d3df141c9d623f72f53aea6b2d98a340b9b3ea |
\ProgramData\Epic\Launcher\ffmpeg.dll
| MD5 | 5f987c951f19d28586bfc9cd99dee4d4 |
| SHA1 | abbe04d0ffaa6faa92e1bb9eab04c36e291c55c3 |
| SHA256 | 87baf588db60ac92a6806c0f81a18bfd61fe629a670f75a13e1c8371d9d437df |
| SHA512 | 5742e1f5b1e4dd85b0d4a062cfc4fa7357671340d3afb08d64d4f09162d077717b6e977130f031fdae31dd42a1c1af8130cd7c1af2943d395a3a2d6862f26e39 |
C:\ProgramData\Epic\Launcher\ffmpeg.dll
| MD5 | 38b817264078d43503ab4b0141d7717c |
| SHA1 | b793be00ccbc123c444ba7342b0fc755b7959412 |
| SHA256 | 3e24c696b0fc99e4d7bc23408a41b29cae07bb0483982f31841474d8b756ddbd |
| SHA512 | fda33450e5dac65818f95480507c802af8b7db52a85f4aaa8963fb9e2c67678cb34384099785c46c446e26612eb067f178fd95c6a4a7ad087a165055b88dda24 |
C:\ProgramData\Epic\Launcher\SetupFile.exe
| MD5 | f524b9d8930ece5638c788b6768ce7cf |
| SHA1 | 11e4d569ca6985efd4f817e2027e46cdf8e93cb1 |
| SHA256 | a972dcbbf7c8aa358c9b4a2e48ed6c80d7eff7514e0a300e66bae143f67b5987 |
| SHA512 | 63db5b2127a0f74673ac4a4e2405b22bdfb7a3d43824a373087d40535138c944fe8ef6bf52028922c4b82127afe4aa323d50f76fd7b71935366a5ddb2adda4b6 |
\ProgramData\Epic\Launcher\SetupFile.exe
| MD5 | 9ff1564c8466e29e93d6d0e69c72a12b |
| SHA1 | e356dbd37a62747b7842e76799377359a11462e1 |
| SHA256 | f32390f8078f5dfa0c242648c934bf647707d1d04d8b7065b228dbd3b34ba619 |
| SHA512 | c920bae12ced7bad7f3aba57a07879c176e97c09968b89072a38aae6868f782579872d2fe7f90ebeb2a86008da6e7407e72df221595f9eb7f2cf1b523f0d2589 |
\ProgramData\Epic\Launcher\SetupFile.exe
| MD5 | 7a2493ca2917399fd6630589ace78467 |
| SHA1 | d8f7e56e536d4337ee47769a702cf6681c44919a |
| SHA256 | c09cf910180ed7e918bcdab90bbbd7a90a43a3b36adb2601a5c0b3227c666d9a |
| SHA512 | a81b869e5adb7bd2d307d1409e66e831ead15cecc0ee37441504bd852f850db14769efb6e6a620e7dcfb89e73bc3254473c0eb4822d9fcc4a633b07cddea093b |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\th.pak
| MD5 | a32ba63feeed9b91f6d6800b51e5aeae |
| SHA1 | 2fbf6783996e8315a4fb94b7d859564350ee5918 |
| SHA256 | e32e37ca0ab30f1816fe6df37e3168e1022f1d3737c94f5472ab6600d97a45f6 |
| SHA512 | adebde0f929820d8368096a9c30961ba7b33815b0f124ca56ca05767ba6d081adf964088cb2b9fcaa07f756b946fffa701f0b64b07d457c99fd2b498cbd1e8a5 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\te.pak
| MD5 | a17f16d7a038b0fa3a87d7b1b8095766 |
| SHA1 | b2f845e52b32c513e6565248f91901ab6874e117 |
| SHA256 | d39716633228a5872630522306f89af8585f8092779892087c3f1230d21a489e |
| SHA512 | 371fb44b20b8aba00c4d6f17701fa4303181ad628f60c7b4218e33be7026f118f619d66d679bffcb0213c48700fafd36b2e704499a362f715f63ea9a75d719e7 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ta.pak
| MD5 | 18ec8ff3c0701a6a8c48f341d368bab5 |
| SHA1 | 8bff8aee26b990cf739a29f83efdf883817e59d8 |
| SHA256 | 052bcdb64a80e504bb6552b97881526795b64e0ab7ee5fc031f3edf87160dee9 |
| SHA512 | a0e997fc9d316277de3f4773388835c287ab1a35770c01e376fb7428ff87683a425f6a6a605d38dd7904ca39c50998cd85f855cb33ae6abad47ac85a1584fe4e |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\sw.pak
| MD5 | 67a443a5c2eaad32625edb5f8deb7852 |
| SHA1 | a6137841e8e7736c5ede1d0dc0ce3a44dc41013f |
| SHA256 | 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd |
| SHA512 | e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\sv.pak
| MD5 | 272f8a8b517c7283eab83ba6993eea63 |
| SHA1 | ad4175331b948bd4f1f323a4938863472d9b700c |
| SHA256 | d15b46bc9b5e31449b11251df19cd2ba4920c759bd6d4fa8ca93fd3361fdd968 |
| SHA512 | 3a0930b7f228a779f727ebfb6ae8820ab5cc2c9e04c986bce7b0f49f9bf124f349248ecdf108edf8870f96b06d58dea93a3e0e2f2da90537632f2109e1aa65f0 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\sr.pak
| MD5 | c68c235d8e696c098cf66191e648196b |
| SHA1 | 5c967fbbd90403a755d6c4b2411e359884dc8317 |
| SHA256 | ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b |
| SHA512 | 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\sl.pak
| MD5 | ca763e801de642e4d68510900ff6fabb |
| SHA1 | c32a871831ce486514f621b3ab09387548ee1cff |
| SHA256 | 340e0babe5fddbfda601c747127251cf111dd7d79d0d6a5ec4e8443b835027de |
| SHA512 | e2847ce75de57deb05528dd9557047edcd15d86bf40a911eb97e988a8fdbda1cd0e0a81320eadf510c91c826499a897c770c007de936927df7a1cc82fa262039 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\sk.pak
| MD5 | b7e97cc98b104053e5f1d6a671c703b7 |
| SHA1 | 0f7293f1744ae2cd858eb3431ee016641478ae7d |
| SHA256 | b0d38869275d9d295e42b0b90d0177e0ca56a393874e4bb454439b8ce25d686f |
| SHA512 | ef3247c6f0f4065a4b68db6bf7e28c8101a9c6c791b3f771ed67b5b70f2c9689cec67a1c864f423382c076e4cbb6019c1c0cb9ad0204454e28f749a69b6b0de0 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ro.pak
| MD5 | d2758f6adbaeea7cd5d95f4ad6dde954 |
| SHA1 | d7476db23d8b0e11bbabf6a59fde7609586bdc8a |
| SHA256 | 2b7906f33bfbe8e9968bcd65366e2e996cdf2f3e1a1fc56ad54baf261c66954c |
| SHA512 | 8378032d6febea8b5047ada667cb19e6a41f890cb36305acc2500662b4377caef3dc50987c925e05f21c12e32c3920188a58ee59d687266d70b8bfb1b0169a6e |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\pt-PT.pak
| MD5 | b4954b064e3f6a9ba546dda5fa625927 |
| SHA1 | 584686c6026518932991f7de611e2266d8523f9d |
| SHA256 | ee1e014550b85e3d18fb5128984a713d9f6de2258001b50ddd18391e7307b4a1 |
| SHA512 | cb3b465b311f83b972eca1c66862b2c5d6ea6ac15282e0094aea455123ddf32e85df24a94a0aedbe1b925ff3ed005ba1e00d5ee820676d7a5a366153ade90ef7 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\pt-BR.pak
| MD5 | 8e931ffbded8933891fb27d2cca7f37d |
| SHA1 | ab0a49b86079d3e0eb9b684ca36eb98d1d1fd473 |
| SHA256 | 6632bd12f04a5385012b5cdebe8c0dad4a06750dc91c974264d8fe60e8b6951d |
| SHA512 | cf0f6485a65c13cf5ddd6457d34cdea222708b0bb5ca57034ed2c4900fd22765385547af2e2391e78f02dcf00b7a2b3ac42a3509dd4237581cfb87b8f389e48d |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\nl.pak
| MD5 | 0f04bac280035fab018f634bcb5f53ae |
| SHA1 | 4cad76eaecd924b12013e98c3a0e99b192be8936 |
| SHA256 | be254bcda4dbe167cb2e57402a4a0a814d591807c675302d2ce286013b40799b |
| SHA512 | 1256a6acac5a42621cb59eb3da42ddeeacfe290f6ae4a92d00ebd4450a8b7ccb6f0cd5c21cf0f18fe4d43d0d7aee87b6991fef154908792930295a3871fa53df |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\nb.pak
| MD5 | 55d5ad4eacb12824cfcd89470664c856 |
| SHA1 | f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673 |
| SHA256 | 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261 |
| SHA512 | 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ms.pak
| MD5 | aee105366a1870b9d10f0f897e9295db |
| SHA1 | eee9d789a8eeafe593ce77a7c554f92a26a2296f |
| SHA256 | c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939 |
| SHA512 | 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\mr.pak
| MD5 | 2cf9f07ddf7a3a70a48e8b524a5aed43 |
| SHA1 | 974c1a01f651092f78d2d20553c3462267ddf4e9 |
| SHA256 | 23058c0f71d9e40f927775d980524d866f70322e0ef215aa5748c239707451e7 |
| SHA512 | 0b21570deefa41defc3c25c57b3171635bcb5593761d48a8116888ce8be34c1499ff79c7a3ebbe13b5a565c90027d294c6835e92e6254d582a86750640fe90f2 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ml.pak
| MD5 | 1c81104ac2cbf7f7739af62eb77d20d5 |
| SHA1 | 0f0d564f1860302f171356ea35b3a6306c051c10 |
| SHA256 | 66005bc01175a4f6560d1e9768dbc72b46a4198f8e435250c8ebc232d2dac108 |
| SHA512 | 969294eae8c95a1126803a35b8d3f1fc3c9d22350aa9cc76b2323b77ad7e84395d6d83b89deb64565783405d6f7eae40def7bdaf0d08da67845ae9c7dbb26926 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\lv.pak
| MD5 | a8cbd741a764f40b16afea275f240e7e |
| SHA1 | 317d30bbad8fd0c30de383998ea5be4eec0bb246 |
| SHA256 | a1a9d84fd3af571a57be8b1a9189d40b836808998e00ec9bd15557b83d0e3086 |
| SHA512 | 3da91c0ca20165445a2d283db7dc749fcf73e049bfff346b1d79b03391aefc7f1310d3ac2c42109044cfb50afcf178dcf3a34b4823626228e591f328dd7afe95 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\lt.pak
| MD5 | 64b08ffc40a605fe74ecc24c3024ee3b |
| SHA1 | 516296e8a3114ddbf77601a11faf4326a47975ab |
| SHA256 | 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e |
| SHA512 | 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\kn.pak
| MD5 | caab4deb1c40507848f9610d849834cf |
| SHA1 | 1bc87ff70817ba1e1fdd1b5cb961213418680cbe |
| SHA256 | 7a34483e6272f9b8881f0f5a725b477540166561c75b9e7ab627815d4be1a8a4 |
| SHA512 | dc4b63e5a037479bb831b0771aec0fe6eb016723bcd920b41ab87ef11505626632877073ce4e5e0755510fe19ba134a7b5899332ecef854008b15639f915860c |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ja.pak
| MD5 | 38cd3ef9b7dff9efbbe086fa39541333 |
| SHA1 | 321ef69a298d2f9830c14140b0b3b0b50bd95cb0 |
| SHA256 | d8fab5714dafecb89b3e5fce4c4d75d2b72893e685e148e9b60f7c096e5b3337 |
| SHA512 | 40785871032b222a758f29e0c6ec696fbe0f6f5f3274cc80085961621bec68d7e0fb47c764649c4dd0c27c6ee02460407775fae9d3a2a8a59362d25a39266ce0 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\it.pak
| MD5 | 745f16ca860ee751f70517c299c4ab0e |
| SHA1 | 54d933ad839c961dd63a47c92a5b935eef208119 |
| SHA256 | 10e65f42ce01ba19ebf4b074e8b2456213234482eadf443dfad6105faf6cde4c |
| SHA512 | 238343d6c80b82ae900f5abf4347e542c9ea016d75fb787b93e41e3c9c471ab33f6b4584387e5ee76950424e25486dd74b9901e7f72876960c0916c8b9cee9a6 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\id.pak
| MD5 | b6fcd5160a3a1ae1f65b0540347a13f2 |
| SHA1 | 4cf37346318efb67908bba7380dbad30229c4d3d |
| SHA256 | 7fd715914e3b0cf2048d4429f3236e0660d5bd5e61623c8fef9b8e474c2ac313 |
| SHA512 | a8b4a96e8f9a528b2df3bd1251b72ab14feccf491dd254a7c6ecba831dfaba328adb0fd0b4acddb89584f58f94b123e97caa420f9d7b34131cc51bdbdbf3ed73 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\hr.pak
| MD5 | 255f808210dbf995446d10ff436e0946 |
| SHA1 | 1785d3293595f0b13648fb28aec6936c48ea3111 |
| SHA256 | 4df972b7f6d81aa7bdc39e2441310a37f746ae5015146b4e434a878d1244375b |
| SHA512 | 8b1a4d487b0782055717b718d58cd21e815b874e2686cdfd2087876b70ae75f9182f783c70bf747cf4ca17a3afc68517a9db4c99449fa09bef658b5e68087f2a |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\hi.pak
| MD5 | b5dfce8e3ba0aec2721cc1692b0ad698 |
| SHA1 | c5d6fa21a9ba3d526f3e998e3f627afb8d1eecf3 |
| SHA256 | b1c7fb6909c8a416b513d6de21eea0b5a6b13c7f0a94cabd0d9154b5834a5e8b |
| SHA512 | facf0a9b81af6bb35d0fc5e69809d5c986a2c91a166e507784bdad115644b96697fe504b8d70d9bbb06f0c558f746c085d37e385eef41f0a1c29729d3d97980f |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\he.pak
| MD5 | fc84ea7dc7b9408d1eea11beeb72b296 |
| SHA1 | de9118194952c2d9f614f8e0868fb273ddfac255 |
| SHA256 | 15951767dafa7bdbedac803d842686820de9c6df478416f34c476209b19d2d8c |
| SHA512 | 49d13976dddb6a58c6fdcd9588e243d705d99dc1325c1d9e411a1d68d8ee47314dfcb661d36e2c4963c249a1542f95715f658427810afcabdf9253aa27eb3b24 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\gu.pak
| MD5 | 308619d65b677d99f48b74ccfe060567 |
| SHA1 | 9f834df93fd48f4fb4ca30c4058e23288cf7d35e |
| SHA256 | e40ee4f24839f9e20b48d057bf3216bc58542c2e27cb40b9d2f3f8a1ea5bfbb4 |
| SHA512 | 3ca84ad71f00b9f7cc61f3906c51b263f18453fce11ec6c7f9edfe2c7d215e3550c336e892bd240a68a6815af599cc20d60203294f14adb133145ca01fe4608f |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\fil.pak
| MD5 | d7df2ea381f37d6c92e4f18290c6ffe0 |
| SHA1 | 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4 |
| SHA256 | db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a |
| SHA512 | 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\fi.pak
| MD5 | 21e534869b90411b4f9ea9120ffb71c8 |
| SHA1 | cc91ffbd19157189e44172392b2752c5f73984c5 |
| SHA256 | 2d337924139ffe77804d2742eda8e58d4e548e65349f827840368e43d567810b |
| SHA512 | 3ca3c0adaf743f92277452b7bd82db4cf3f347de5568a20379d8c9364ff122713befd547fbd3096505ec293ae6771ada4cd3dadac93cc686129b9e5aacf363bd |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\fa.pak
| MD5 | 2e37fd4e23a1707a1eccea3264508dff |
| SHA1 | e00e58ed06584b19b18e9d28b1d52dbfc36d70f3 |
| SHA256 | b9ee861e1bdecffe6a197067905279ea77c180844a793f882c42f2b70541e25e |
| SHA512 | 7c467f434eb0ce8e4a851761ae9bd7a9e292aab48e8e653e996f8ca598d0eb5e07ec34e2b23e544f3b38439dc3b8e3f7a0dfd6a8e28169aa95ceff42bf534366 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\es.pak
| MD5 | 04a9ba7316dc81766098e238a667de87 |
| SHA1 | 24d7eb4388ecdfecada59c6a791c754181d114de |
| SHA256 | 7fa148369c64bc59c2832d617357879b095357fe970bab9e0042175c9ba7cb03 |
| SHA512 | 650856b6187df41a50f9bed29681c19b4502de6af8177b47bad0bf12e86a25e92aa728311310c28041a18e4d9f48ef66d5ad5d977b6662c44b49bfd1da84522b |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\es-419.pak
| MD5 | 7da3e8aa47ba35d014e1d2a32982a5bb |
| SHA1 | 8e35320b16305ad9f16cb0f4c881a89818cd75bb |
| SHA256 | 7f85673cf80d1e80acfc94fb7568a8c63de79a13a1bb6b9d825b7e9f338ef17c |
| SHA512 | 1fca90888eb067972bccf74dd5d09bb3fce2ceb153589495088d5056ed4bdede15d54318af013c2460f0e8b5b1a5c6484adf0ed84f4b0b3c93130b086da5c3bf |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\en-US.pak
| MD5 | 19d18f8181a4201d542c7195b1e9ff81 |
| SHA1 | 7debd3cf27bbe200c6a90b34adacb7394cb5929c |
| SHA256 | 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb |
| SHA512 | af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\en-GB.pak
| MD5 | 825ed4c70c942939ffb94e77a4593903 |
| SHA1 | 7a3faee9bf4c915b0f116cb90cec961dda770468 |
| SHA256 | e11e8db78ae12f8d735632ba9fd078ec66c83529cb1fd86a31ab401f6f833c16 |
| SHA512 | 41325bec22af2e5ef8e9b26c48f2dfc95763a249ccb00e608b7096ec6236ab9a955de7e2340fd9379d09ac2234aee69aed2a24fe49382ffd48742d72a929c56a |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\de.pak
| MD5 | cf22ec11a33be744a61f7de1a1e4514f |
| SHA1 | 73e84848c6d9f1a2abe62020eb8c6797e4c49b36 |
| SHA256 | 7cc213e2c9a2d2e2e463083dd030b86da6bba545d5cee4c04df8f80f9a01a641 |
| SHA512 | c10c8446e3041d7c0195da184a53cfbd58288c06eaf8885546d2d188b59667c270d647fa7259f5ce140ec6400031a7fc060d0f2348ab627485e2207569154495 |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\da.pak
| MD5 | e7ba94c827c2b04e925a76cb5bdd262c |
| SHA1 | abba6c7fcec8b6c396a6374331993c8502c80f91 |
| SHA256 | d8da7ab28992c8299484bc116641e19b448c20adf6a8b187383e2dba5cd29a0b |
| SHA512 | 1f44fce789cf41fd62f4d387b7b8c9d80f1e391edd2c8c901714dd0a6e3af32266e9d3c915c15ad47c95ece4c7d627aa7339f33eea838d1af9901e48edb0187e |
C:\Users\Admin\AppData\Local\Temp\nst1640.tmp\7z-out\locales\ca.pak
| MD5 | 4cd6b3a91669ddcfcc9eef9b679ab65c |
| SHA1 | 43c41cb00067de68d24f72e0f5c77d3b50b71f83 |
| SHA256 | 56efff228ee3e112357d6121b2256a2c3acd718769c89413de82c9d4305459c6 |
| SHA512 | 699be9962d8aae241abd1d1f35cd8468ffbd6157bcd6bdf2c599d902768351b247baad6145b9826d87271fd4a19744eb11bf7065db7fefb01d66d2f1f39015a9 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 3556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1724 wrote to memory of 3556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1724 wrote to memory of 3556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3556 -ip 3556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240220-en
Max time kernel
121s
Max time network
134s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE20DDE1-D8E5-11EE-A1AD-46837A41B3D6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000432be55e213b17c783743df568ba1b2242e498611170cb0312cc04ccff450156000000000e8000000002000020000000b1677cd74c5f1be1fedec975a51b4a694fe9adc6c9f395d44192a7a9dd56f63a20000000f6c6a4f79ce140c3625c583a1d548dc588c97402c03cd5ceb4a00dfaca7ada0b4000000080c45b09e2d2295484f8eb4a366d845bae2cc209a09236cb539feccc9c5015044b168db394a3a4c7575937ba048f0855380e8985d27a3bd340eebf5704ad40ef | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502ad682f26cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000a99571f85a9e2764a241b0674edf061e71fea3748b162bb8130f884fc7cce903000000000e80000000020000200000003beab62291f948b9f468c30c29cd5239d54cab39e8e11bed865f95255ea95de6900000008d3e0950d85c33c2451662d0b61711f3d12378127cee74acc6b1f952b40762baf383887d316af038a2a4f11c804d5dfe472f3b5d669f3b5013439abfa5ce5606305e0950ef83dd4e7ce06a65f3c2660ce53c2c1df233b0575888fd38f155ad6259fb18b55e03694a1676205d45800bd11aa580d26ba3a995cf22ea40dbb4c2124053cb3fc21d69a4b3780b2245e9f39040000000b2e9734adfcfe0aee203bda21b58346cde83a745ed2f1629a6b854988c569c7ab87888c3ff03c9a1e313d9e3070eb7762f1bc70735661f58a0526bb02421f493 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415581015" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2060 wrote to memory of 1804 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2060 wrote to memory of 1804 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2060 wrote to memory of 1804 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2060 wrote to memory of 1804 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab39F7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar3B17.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e32f3f5ad9b08694f43983c36b2adaa |
| SHA1 | 8f5142a178d726fb3cb3057b6d3f2ebd3793aaa8 |
| SHA256 | a3834eaaf203e4d617150e4b407ce5d7820fdd3c4e82480f02a153e0b8b6bdf7 |
| SHA512 | 93283145e4c822fe72a0b91835ed5c6d7df5e01852feca468270473911d1b5ce2b2d586b8a2f9a2c372c5c1412d02577d38624f41a25e3d664b0e5a9f809de2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52259953972212cecc0667a659315da0 |
| SHA1 | b8764dbb6c6a7de80fd84af9a47129c08d907d53 |
| SHA256 | db2e76e7bc13574f8113ae1da7d08b4af0ecf81e135a25523db321a97b2c4d51 |
| SHA512 | 1b30c684fc93fa0866347ac4db166ca18eb0d21cd8706974e13edb327221d0f3c9116afccb5745d5eb2509e8bba5172e79ed6c0534c73dbcb4eee5377ec70ebe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c450cd1bc82fcc73fac2c0013dba7da3 |
| SHA1 | 840d321b965f7cc4f7e4623ed87cd32438f0a7d5 |
| SHA256 | ef1ca9df26cd6c4f76e7c24c3afc55558365089543d4de85774de670fed14b37 |
| SHA512 | 69fe59bb2be0b9cdf27a29b58ffe4506015a2490f2b3e5a88aae2724ffc79a3adac61165d4839aad49d69d4d5ba8ba008369bbcef423f9d1a54666edefd5cac2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afa2ad49e1b9f01acc0f316d647dc324 |
| SHA1 | f99915ef69f3916d1a8bd41e6baafe6aab285ac9 |
| SHA256 | ff41c016fc68dccb9d6ff89e149d0f3e2fc99f648f7c07f18792d3128c522a0f |
| SHA512 | 93a8cb3b86566b0bec7c9fb723b56e8651f0e2650b25fbb8e438561a913682d1517da0762887083d002cb919b1c9abca318a654aa9872f16b70f396ffb6bde38 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 824b8593d7eb7af2a0f82a4d3e91d83c |
| SHA1 | f44dd20268a34c618480abec4eae83996d7d168f |
| SHA256 | b1fa1ef3ade9e1e928c8c207be14472d9e6804e21f10dad846e5c5aab5741ee8 |
| SHA512 | dd4ff91437bb91a5aad340fa57fc92ec73791870b13145be8378535e4f6f4fdcb2b85343874b665b9f5be64468d7fcca5716181baca556fd627c31a38be3b890 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d45ecdbecde7e1ed18843d6b715b56f |
| SHA1 | 90fb266c60b070c7c7eedb58867042124b5e6968 |
| SHA256 | efd13785def93175918ede319a5629bf8fa21128231b9d93d52dde99fdf15b70 |
| SHA512 | 6326fb709373f1c39fe06e0d4ea16cb38cbae6b3730a8b45a07733d36f9f30c7aef2d8ba80af7b4f51157e5cfbfffc64cbfe7f1724c37f2f80753494de10909b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1508821bd92a009d530c0abdebc87549 |
| SHA1 | 4e53441f9f997c6662890e089f82dcea1b07a11f |
| SHA256 | b1223f07a8109604e4a442fa14249f18a98aeb0fd5d89e895327c6407ddeb53a |
| SHA512 | 5e26328e63f8fa28e75752e4c249cc0de969de8f5027611befaf36a37813b3a3d3da214b6675396af5cafed5e74924771bc2dc263ac00df8495b78e2323c2079 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ffef6d7cf4b1b10d2fc473793799dc1 |
| SHA1 | 3fb42c4e65bf6cdb46416c6c8fc23ee86d347248 |
| SHA256 | 003019e85a963ba5679aa1122bdb2aa6387ad5e04168f4423729cbdf4c1d1a1b |
| SHA512 | db23cd67089cb32bc828ba4f4f11a5562d603573eda23ba3145962faf56b42b4071c2852be3e6722d1417e31e04a00ae863ef90309af54d59a3fdbaa11447c5c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48199704a36a68bd7a00be8eff90a62f |
| SHA1 | 6f165913bce5c5bf8c8308ac9ee4b7ee622cdf10 |
| SHA256 | 7a97c169991aee5f9910cef7281e3ba22077504292e612c5aa96699ecb51342b |
| SHA512 | 59dabb74f0f5644933a9423a83ba4a35a80277a9f3cd299a93f6615d80582b909b12327b7a3353546b26097baeb1866d9cd68b1ea7359a8f17aba4d81aa50549 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81d11caf87437441a2a8b097f84910bf |
| SHA1 | cba764ad62bcac14bb606a51f6a3019ee1a80430 |
| SHA256 | cbe350c09a552f693923ed92852824ba904b90c45ae327fd4c5e80d87eb6a98a |
| SHA512 | e097bc61cab176e989bc37e5ee73000f464b98c0e890ec659afd169c46b3e954fcb134208548719e5c8b85b41c73d8cd7e047272b4c3a364f5bf26a6bba0113d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e0381146b9e6eb0c0bba32f0099adf1 |
| SHA1 | e2fad345b999351e80935acbe0753ab4edeaaf91 |
| SHA256 | 90ce1f650e9ac4bfdb54628badaf9f0b93ef33e1fd5c29f5116b9ac04bcef0be |
| SHA512 | 944bbd0513b8b10b0b5f510d529c8b409d5d19f784e3497bfec42ea33e255cee545678db7f16c0ac81bb9cfc4b1be1785d20718dfb2953bec5d3dd6d267a389f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fc2d4be46bf2502afad051af593ce69 |
| SHA1 | 099eb73f4cbfaecae7355e5ad6b64e0ffcb8c699 |
| SHA256 | f17792d4b8a703b5be7a9d9747366a71811da08d712cbbda91ea774e5d805852 |
| SHA512 | 39f7e96b380d82ba5ec62144c969636a2d28dac20d9e359cd9a839c1cf2e5017bd28e506528523f629c31c0f6b50e41a17268204c34eb49843a073fe4b8dd7b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93749d37ae4a48689101b78b221e42a6 |
| SHA1 | 07b92fae4aab3eb9caf0df2076ce7f7e820995e4 |
| SHA256 | f25f31b0a28c29a4f03ba99ffdc987fb887d115f8ad7d7a1454e85f481880175 |
| SHA512 | 0634f9acc8b75fbb29c478404c4b442f29740f02548270be93250248102baa16bac16d71b1eeea6a04957303fb8b358976a9fecddd4e7eb3c125278838926e3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f8ec0e6c33b16638d62b62fa783c6e0 |
| SHA1 | d9ed2000f34029d640152b00c55aaba27aa73f0e |
| SHA256 | c5a44d7f26446dc2809c6f401766eb469be6876a62bd102e217313c14447ec18 |
| SHA512 | ef8eb249f8fe4b0a327a9a1ad679ce40c287e7f6144bce6429f00b4ccc42101b92259a2e0a97cc4ff498bc92005bf81f0b92e412ae087cea6528fa0650ecf92f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9736b8fd06106cc99d90c611b6e1d91f |
| SHA1 | d6ad06a0f83136c6598988e39bc52f808f66d136 |
| SHA256 | e55ce8a0aad53b41ce33264ef6ac5ca91a997892e18e2efe327f10f1fc0f8e2f |
| SHA512 | aa0f518fab0be5ca2f28ed6db12aabd61a797e6c6217742fcc706a5e7fce773c99cf562eaa12d7c28ed9a1b538b7a44bf2d0596e93d1743d268df7706b91b42e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ddf7c9733c1a32c952bad82697086a9 |
| SHA1 | 4a5ac8290fcf2915215bfcbde58939cff6734733 |
| SHA256 | 5f3ddee2db085299f79fa416bfa298cc2539354c330a2d5bc4940e6c1ad7f3be |
| SHA512 | 9af21207f39d57ad9f0974daafe915903bb5583be0a0a9d8815df00ebbe4eaef5953cfb62208790b8d74f6b6c86c654e1ae5892e94f47eca31b9308f5ebf70f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d617de0c583f1e1cf138b02969cd1f58 |
| SHA1 | 91ee4f564fa9ea6788ed665a7d0595c713c9c0e0 |
| SHA256 | 22ce5cb0a770a49d56db66369c121ef25efaff9924999d27cf6262ab54defd4d |
| SHA512 | b0b2c5425187ad5acf49799b0feb5baf3ceedd119294d611d3cf8a1f89d8ae87b6855841825762664b8e9e80c9d52e5a1fb15005931453f92f13ca4dc7723a8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 072f766df2e10fca41abc628f6cc4ab0 |
| SHA1 | d4e092a6d8e6729f96657d6002dbfa7ceb0d5c67 |
| SHA256 | 7c9edf6f22e818196e94ad0ad869094f28dbae0404a06b5963cff83e723f1a5a |
| SHA512 | 33e74936aa7e767528fd0e8c8b67c5262a1f6579115005da4efe5c63cd8365e8a1f430f35e00bc2e32f19c52262afd324ffd5936445095a0f76c2d64a3f18196 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
161s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5a7146f8,0x7ffc5a714708,0x7ffc5a714718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4b206e54d55dcb61072236144d1f90f8 |
| SHA1 | c2600831112447369e5b557e249f86611b05287d |
| SHA256 | 87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b |
| SHA512 | c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2 |
\??\pipe\LOCAL\crashpad_4432_DVFPUFLJRWDRTLER
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 73c8d54f775a1b870efd00cb75baf547 |
| SHA1 | 33024c5b7573c9079a3b2beba9d85e3ba35e6b0e |
| SHA256 | 1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94 |
| SHA512 | 191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6729b63607841084252a4dfe931ec5cd |
| SHA1 | e573fdaf9815507be8ad1a8148d53fe0c6d6df6c |
| SHA256 | 96acbcc927dbb32d4a1920a38d41dde9de79852b88ea31fdb578767664e0836b |
| SHA512 | 7622825a90ffbcb5e97396010d9d009ab4dda92958fe275403ef4654562a8604a77561cadc90bf4ee13583a2ed8cfd15c3607dd95691e5f7b9284ca2fbc9dad8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8f28816de92f9851521c94c428f5b289 |
| SHA1 | 38fe769fd9e5dab3a000efbc024f1c14079c071b |
| SHA256 | 4e576cbc0022c5a1fc87bb52780048b4b86dec97844392248bf253f33539593c |
| SHA512 | 789a09b0bf419c9efbb9242062d638a9e71adf21aaeada6571df5496a5796240716bd343645e4492933d41e5405aebbcbb48f4fa20cef00dd666c578f3bdca93 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 457e655de0ca811fa421d41f0b7f8268 |
| SHA1 | d577308846e95d4d672f8df6034aab3942ef1a2e |
| SHA256 | b2790ecbeb416028c7825e62dbba71303d9d8e7b5912b155adaf8db05b69d399 |
| SHA512 | c1bd5fbd66692de99bcf5f6e18b9e402cbaebf4ca14c64872d12a744c7b097e5ac26d26ffe7dd4d835f763c32009591efcc03864e7e3fe24d74369b7ad17445f |
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 133.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:42
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
166s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SetupFile.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpicGamesLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SetupFile.exe" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,207,176,84,217,60,156,184,59,3,27,231,184,96,180,176,22,190,214,124,225,126,33,24,28,196,26,70,57,195,110,188,82,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,83,80,130,223,215,209,200,154,200,135,30,7,211,45,117,47,236,133,54,162,197,248,48,15,191,4,221,82,229,239,73,48,0,0,0,242,255,149,87,119,78,203,254,44,206,112,166,170,56,159,42,141,204,250,131,129,122,112,139,143,245,150,254,135,4,213,203,225,73,250,206,251,122,33,94,166,36,90,11,101,93,151,175,64,0,0,0,160,247,120,235,5,145,28,214,21,43,57,158,137,156,192,137,204,32,47,26,118,70,86,248,246,160,26,236,190,176,49,87,14,250,197,37,89,219,92,10,168,37,162,180,48,244,74,4,145,119,28,38,226,69,36,114,141,14,108,246,190,243,105,236), $null, 'CurrentUser')"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,207,176,84,217,60,156,184,59,3,27,231,184,96,180,176,22,190,214,124,225,126,33,24,28,196,26,70,57,195,110,188,82,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,30,83,80,130,223,215,209,200,154,200,135,30,7,211,45,117,47,236,133,54,162,197,248,48,15,191,4,221,82,229,239,73,48,0,0,0,242,255,149,87,119,78,203,254,44,206,112,166,170,56,159,42,141,204,250,131,129,122,112,139,143,245,150,254,135,4,213,203,225,73,250,206,251,122,33,94,166,36,90,11,101,93,151,175,64,0,0,0,160,247,120,235,5,145,28,214,21,43,57,158,137,156,192,137,204,32,47,26,118,70,86,248,246,160,26,236,190,176,49,87,14,250,197,37,89,219,92,10,168,37,162,180,48,244,74,4,145,119,28,38,226,69,36,114,141,14,108,246,190,243,105,236), $null, 'CurrentUser')
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,65,175,34,250,158,248,47,122,214,12,177,5,236,230,160,214,54,9,146,172,200,64,166,247,115,211,191,65,67,226,141,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,98,178,61,180,99,60,64,189,114,141,41,44,142,240,192,46,164,34,135,204,86,18,252,196,99,31,197,76,32,227,52,191,48,0,0,0,163,242,13,136,184,138,94,89,30,226,191,237,96,45,115,176,235,168,27,29,123,32,152,89,96,235,171,142,225,115,229,222,160,238,79,11,59,253,161,149,56,39,5,178,191,80,16,62,64,0,0,0,170,27,181,16,68,18,53,67,196,152,228,52,101,132,193,39,212,87,252,149,78,100,15,84,48,124,239,144,250,7,17,140,10,229,7,13,35,191,185,220,162,6,217,41,30,90,185,255,149,203,57,70,43,19,17,179,103,72,89,68,171,124,83,118), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,39,157,190,44,185,213,196,73,159,101,157,196,251,40,97,204,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,65,175,34,250,158,248,47,122,214,12,177,5,236,230,160,214,54,9,146,172,200,64,166,247,115,211,191,65,67,226,141,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,98,178,61,180,99,60,64,189,114,141,41,44,142,240,192,46,164,34,135,204,86,18,252,196,99,31,197,76,32,227,52,191,48,0,0,0,163,242,13,136,184,138,94,89,30,226,191,237,96,45,115,176,235,168,27,29,123,32,152,89,96,235,171,142,225,115,229,222,160,238,79,11,59,253,161,149,56,39,5,178,191,80,16,62,64,0,0,0,170,27,181,16,68,18,53,67,196,152,228,52,101,132,193,39,212,87,252,149,78,100,15,84,48,124,239,144,250,7,17,140,10,229,7,13,35,191,185,220,162,6,217,41,30,90,185,255,149,203,57,70,43,19,17,179,103,72,89,68,171,124,83,118), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" /f"
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" /f
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --mojo-platform-channel-handle=2120 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 --field-trial-handle=1880,i,14225943549362777755,6286492048928942185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | www.myexternalip.com | udp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\46e6211c-8f1b-48ac-9806-c6228030a298.tmp.node
| MD5 | 3072b68e3c226aff39e6782d025f25a8 |
| SHA1 | cf559196d74fa490ac8ce192db222c9f5c5a006a |
| SHA256 | 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01 |
| SHA512 | 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jfivb5fn.ikj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3960-15-0x000001B81C2F0000-0x000001B81C312000-memory.dmp
memory/3960-16-0x00007FFCE4D30000-0x00007FFCE57F1000-memory.dmp
memory/3960-17-0x000001B802350000-0x000001B802360000-memory.dmp
memory/3960-18-0x000001B802350000-0x000001B802360000-memory.dmp
memory/3960-19-0x000001B81C890000-0x000001B81C8E0000-memory.dmp
memory/3960-23-0x00007FFCE4D30000-0x00007FFCE57F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
memory/4664-27-0x0000029D59860000-0x0000029D59870000-memory.dmp
memory/4664-26-0x00007FFCE4D30000-0x00007FFCE57F1000-memory.dmp
memory/4664-28-0x0000029D59860000-0x0000029D59870000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 46d6c89b6a449ce91c1a3691c516e10e |
| SHA1 | dedf2c05d83a8fc311e39fa86af575866f9f7ece |
| SHA256 | f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f |
| SHA512 | bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd |
memory/4664-39-0x0000029D59860000-0x0000029D59870000-memory.dmp
memory/4664-42-0x00007FFCE4D30000-0x00007FFCE57F1000-memory.dmp
memory/4016-68-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-69-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-67-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-74-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-73-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-75-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-77-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-76-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-79-0x0000028C81040000-0x0000028C81041000-memory.dmp
memory/4016-78-0x0000028C81040000-0x0000028C81041000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240221-en
Max time kernel
121s
Max time network
132s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240215-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
166s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1
Network
Files
memory/1676-4-0x000000001B5D0000-0x000000001B8B2000-memory.dmp
memory/1676-5-0x0000000002350000-0x0000000002358000-memory.dmp
memory/1676-6-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
memory/1676-7-0x0000000002C60000-0x0000000002CE0000-memory.dmp
memory/1676-9-0x0000000002C60000-0x0000000002CE0000-memory.dmp
memory/1676-10-0x0000000002C60000-0x0000000002CE0000-memory.dmp
memory/1676-11-0x0000000002C60000-0x0000000002CE0000-memory.dmp
memory/1676-8-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
memory/1676-12-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 52.111.229.19:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
163s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
135s
Max time network
162s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 416 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 416 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 416 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2732 -ip 2732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 628
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 220
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240221-en
Max time kernel
119s
Max time network
133s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240221-en
Max time kernel
122s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240221-en
Max time kernel
122s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 224
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3320 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3320 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3320 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
125s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpicGamesLauncher = "C:\\ProgramData\\Epic\\Launcher\\SetupFile.exe" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
| N/A | N/A | C:\ProgramData\Epic\Launcher\SetupFile.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\SetupFile 1.0.0.exe"
C:\ProgramData\Epic\Launcher\SetupFile.exe
C:\ProgramData\Epic\Launcher\SetupFile.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,50,189,46,163,143,204,242,57,124,130,127,199,217,241,213,20,38,56,175,56,52,37,95,222,179,249,84,127,57,193,28,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,137,192,49,120,208,49,5,117,80,140,220,235,39,38,191,115,173,148,172,228,133,69,61,50,109,196,44,230,130,106,62,48,0,0,0,59,204,109,24,185,235,126,93,115,15,225,227,72,95,64,231,247,155,184,14,121,29,166,79,117,132,125,44,243,197,174,66,24,226,71,34,58,216,82,0,152,163,206,212,31,7,153,215,64,0,0,0,11,31,15,241,106,179,72,246,147,176,72,177,106,139,56,202,110,163,82,178,125,177,194,142,39,175,3,106,91,22,111,132,180,62,73,234,185,254,72,51,72,15,168,3,227,153,170,224,109,39,97,125,20,214,218,204,58,75,50,110,189,234,182,171), $null, 'CurrentUser')"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,50,189,46,163,143,204,242,57,124,130,127,199,217,241,213,20,38,56,175,56,52,37,95,222,179,249,84,127,57,193,28,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,137,192,49,120,208,49,5,117,80,140,220,235,39,38,191,115,173,148,172,228,133,69,61,50,109,196,44,230,130,106,62,48,0,0,0,59,204,109,24,185,235,126,93,115,15,225,227,72,95,64,231,247,155,184,14,121,29,166,79,117,132,125,44,243,197,174,66,24,226,71,34,58,216,82,0,152,163,206,212,31,7,153,215,64,0,0,0,11,31,15,241,106,179,72,246,147,176,72,177,106,139,56,202,110,163,82,178,125,177,194,142,39,175,3,106,91,22,111,132,180,62,73,234,185,254,72,51,72,15,168,3,227,153,170,224,109,39,97,125,20,214,218,204,58,75,50,110,189,234,182,171), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,197,224,143,28,165,54,72,92,246,233,32,191,24,46,105,246,181,80,82,244,98,50,113,77,39,131,70,107,20,17,18,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,232,214,33,109,10,171,34,88,45,244,211,68,213,248,113,63,204,186,57,152,167,39,14,173,231,102,13,79,123,220,0,48,0,0,0,244,7,62,86,224,27,249,160,142,173,50,211,245,131,94,250,110,91,14,170,146,113,247,253,255,250,252,147,32,58,62,71,210,115,235,233,237,24,64,161,187,109,9,21,221,186,174,22,64,0,0,0,163,34,23,217,160,123,207,120,182,62,130,149,38,16,101,148,40,131,230,239,228,34,24,160,57,101,112,128,25,35,97,186,123,245,48,119,175,155,108,52,91,185,179,137,26,89,91,37,95,12,36,179,157,222,62,201,104,125,193,181,138,54,90,149), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,197,224,143,28,165,54,72,92,246,233,32,191,24,46,105,246,181,80,82,244,98,50,113,77,39,131,70,107,20,17,18,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,232,214,33,109,10,171,34,88,45,244,211,68,213,248,113,63,204,186,57,152,167,39,14,173,231,102,13,79,123,220,0,48,0,0,0,244,7,62,86,224,27,249,160,142,173,50,211,245,131,94,250,110,91,14,170,146,113,247,253,255,250,252,147,32,58,62,71,210,115,235,233,237,24,64,161,187,109,9,21,221,186,174,22,64,0,0,0,163,34,23,217,160,123,207,120,182,62,130,149,38,16,101,148,40,131,230,239,228,34,24,160,57,101,112,128,25,35,97,186,123,245,48,119,175,155,108,52,91,185,179,137,26,89,91,37,95,12,36,179,157,222,62,201,104,125,193,181,138,54,90,149), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /t REG_SZ /d "C:\ProgramData\Epic\Launcher\SetupFile.exe" /f"
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /t REG_SZ /d "C:\ProgramData\Epic\Launcher\SetupFile.exe" /f
C:\ProgramData\Epic\Launcher\SetupFile.exe
"C:\ProgramData\Epic\Launcher\SetupFile.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1920,i,14523584174835122521,15923476774521085558,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\ProgramData\Epic\Launcher\SetupFile.exe
"C:\ProgramData\Epic\Launcher\SetupFile.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SetupFile" --mojo-platform-channel-handle=1312 --field-trial-handle=1920,i,14523584174835122521,15923476774521085558,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.myexternalip.com | udp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\ProgramData\Epic\Launcher\chrome_100_percent.pak
| MD5 | 8626e1d68e87f86c5b4dabdf66591913 |
| SHA1 | 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c |
| SHA256 | 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59 |
| SHA512 | 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\chrome_200_percent.pak
| MD5 | 48515d600258d60019c6b9c6421f79f6 |
| SHA1 | 0ef0b44641d38327a360aa6954b3b6e5aab2af16 |
| SHA256 | 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce |
| SHA512 | b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 930dc313097ffc012996fda4e1b5ee71 |
| SHA1 | 70eba424f1236eed35ef3073f74adcb4836b46a0 |
| SHA256 | a3859f6831f8d3c6949c2a616939975340185425c9b5c70107acb1a121d7ee14 |
| SHA512 | f1b7db16352e1a69a4cd4fdee753d4d236c64486bae79ed5fe0f795d388b603b9037a6a2796efd9b95c5c4459d993dd1c619a2b31ecc893845cfaf591364b190 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\ffmpeg.dll
| MD5 | cf0641769af38753cba77d8e0334066d |
| SHA1 | 38a38386cb694bdd35605982c4e29aca546cfcea |
| SHA256 | 2d6d0f099bf750ff60bf569903d6e17fe07938d6db42b63873baca302d809b15 |
| SHA512 | efc3233a8d36ba2a63c8f271a66125b5f2cc8e64431239ee86b0e98284c07805df12972f227355405df5cc416b747dc172e20d5d1bb677fef7819529f9c16477 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\libEGL.dll
| MD5 | 09134e6b407083baaedf9a8c0bce68f2 |
| SHA1 | 8847344cceeab35c1cdf8637af9bd59671b4e97d |
| SHA256 | d2107ba0f4e28e35b22837c3982e53784d15348795b399ad6292d0f727986577 |
| SHA512 | 6ff3adcb8be48d0b505a3c44e6550d30a8feaf4aa108982a7992ed1820c06f49e0ad48d9bd92685fb82783dfd643629bd1fe4073300b61346b63320cbdb051ba |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\icudtl.dat
| MD5 | 02228942a6ccf174d21705615becc155 |
| SHA1 | 92ed4bb865ee74f3c19ec0a04103833676795511 |
| SHA256 | 1e689e5a21e74ac77f760dc2ec9f531f23ac4a1498a1678c48ce27b192e11bfe |
| SHA512 | c7cd6d8db6687143a4c41ec6e6fc9b72a4daa933e78a9a023a78fa94cbd4cff061ad534622bfbb00c48b75b047b2e3bf45b3de45b5a6d9758a2e90ea8024e554 |
C:\ProgramData\Epic\Launcher\libGLESv2.dll
| MD5 | d885294ed3bb7830f552ca7d434b9a4f |
| SHA1 | 1cb2072da4034f772db782cef5461a9d16a3573a |
| SHA256 | 8b5eb10802399ecbc54d67d69a8c3e76dd7ce4be3b15bbc5e55e975763cbbe3d |
| SHA512 | 6e4b2bbac409168e5cd354c3f5c889ecfe3e05a611d4033833358f38513e514a420ad25e317262c326995b659588cb33a88198b9b651fc276561da6092d6ea42 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\LICENSES.chromium.html
| MD5 | 7a9e2e233ec050104227d47c959d2001 |
| SHA1 | ffb46774fe1ef088261a88a0ba260d95a777f108 |
| SHA256 | 336c07b3960a54c3ee215eb8112446de52de308d8ac0a90ea6366808c0a43b74 |
| SHA512 | 0a1754d5c67effc4c64d8cab1c94973cf6db45f78fff1b9b0dfd5ef17acc459be42213d3f90567651eb9a0dc76324eacdec7443b6fe9c5fbe3939b1b2d309456 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\resources.pak
| MD5 | 20e0de319495622e72ebaa6e2dbca14d |
| SHA1 | 820a379e6c3e9a5d5a6b0c654baea17f83446e35 |
| SHA256 | ea7b1ece7e69da8d9012312508e5351e74b5a2cca7f39519d95cc4b49208ba4f |
| SHA512 | 83ea6673f60e9a05a948fd683fdb31a96a47aa78d35d32b65cf4983cbcb2a496f30610cb329531184c45bc1fdc6dedb67bbce1098310efc5b46714240ebfe313 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\SetupFile.exe
| MD5 | fe24a616e52d619548f384cbeafbe218 |
| SHA1 | a552acd8cfc5c6cbc97113a6b05b5c8afb444380 |
| SHA256 | 3ee367567775c63ecbc8e170c2734816b558cb722f691458a9a98981a6aea22a |
| SHA512 | f5f263284b25d0e09832bec75284ba55ed7c95430c4b7b8ad53e89864bf1a99b11025ecc89bf8dd31cd57210893b6f4021078e6d7fb41e88fc56e2185624521f |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\vulkan-1.dll
| MD5 | 0e4e0f481b261ea59f196e5076025f77 |
| SHA1 | c73c1f33b5b42e9d67d819226db69e60d2262d7b |
| SHA256 | f681844896c084d2140ac210a974d8db099138fe75edb4df80e233d4b287196a |
| SHA512 | e6127d778ec73acbeb182d42e5cf36c8da76448fbdab49971de88ec4eb13ce63140a2a83fc3a1b116e41f87508ff546c0d7c042b8f4cdd9e07963801f3156ba2 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\vk_swiftshader.dll
| MD5 | 18daa84f2429d7a4f85898bbdbfc9432 |
| SHA1 | 066f725f434e084f0903bd963be40c9d14c52e6a |
| SHA256 | d5da2a30241e38763d0f390b38746f88acbfad0f41fac2957241c7e24962c7ad |
| SHA512 | 444750e44b3f9690aa1e02e281053838f220f04c04e4bbc55d240837347afa0b8a54f3d59287af01565f854f9992733617836cff68b6bdb4e3f8c963647a0a3b |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\v8_context_snapshot.bin
| MD5 | a373d83d4c43ba957693ad57172a251b |
| SHA1 | 8e0fdb714df2f4cb058beb46c06aa78f77e5ff86 |
| SHA256 | 43b58ca4057cf75063d3b4a8e67aa9780d9a81d3a21f13c64b498be8b3ba6e0c |
| SHA512 | 07fbd84dc3e0ec1536ccb54d5799d5ed61b962251ece0d48e18b20b0fc9dd92de06e93957f3efc7d9bed88db7794fe4f2bec1e9b081825e41c6ac3b4f41eab18 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\snapshot_blob.bin
| MD5 | 8fef5a96dbcc46887c3ff392cbdb1b48 |
| SHA1 | ed592d75222b7828b7b7aab97b83516f60772351 |
| SHA256 | 4de0f720c416776423add7ada621da95d0d188d574f08e36e822ad10d85c3ece |
| SHA512 | e52c7820c69863ecc1e3b552b7f20da2ad5492b52cac97502152ebff45e7a45b00e6925679fd7477cdc79c68b081d6572eeed7aed773416d42c9200accc7230e |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\af.pak
| MD5 | 464e5eeaba5eff8bc93995ba2cb2d73f |
| SHA1 | 3b216e0c5246c874ad0ad7d3e1636384dad2255d |
| SHA256 | 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1 |
| SHA512 | 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\am.pak
| MD5 | 2c933f084d960f8094e24bee73fa826c |
| SHA1 | 91dfddc2cff764275872149d454a8397a1a20ab1 |
| SHA256 | fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450 |
| SHA512 | 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\bg.pak
| MD5 | 38bcabb6a0072b3a5f8b86b693eb545d |
| SHA1 | d36c8549fe0f69d05ffdaffa427d3ddf68dd6d89 |
| SHA256 | 898621731ac3471a41f8b3a7bf52e7f776e8928652b37154bc7c1299f1fd92e1 |
| SHA512 | 002adbdc17b6013becc4909daf2febb74ce88733c78e968938b792a52c9c5a62834617f606e4cb3774ae2dad9758d2b8678d7764bb6dcfe468881f1107db13ef |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ar.pak
| MD5 | fdbad4c84ac66ee78a5c8dd16d259c43 |
| SHA1 | 3ce3cd751bb947b19d004bd6916b67e8db5017ac |
| SHA256 | a62b848a002474a8ea37891e148cbaf4af09bdba7dafebdc0770c9a9651f7e3b |
| SHA512 | 376519c5c2e42d21acedb1ef47184691a2f286332451d5b8d6aac45713861f07c852fb93bd9470ff5ee017d6004aba097020580f1ba253a5295ac1851f281e13 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\bn.pak
| MD5 | 9340520696e7cb3c2495a78893e50add |
| SHA1 | eed5aeef46131e4c70cd578177c527b656d08586 |
| SHA256 | 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39 |
| SHA512 | 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\cs.pak
| MD5 | eeee212072ea6589660c9eb216855318 |
| SHA1 | d50f9e6ca528725ced8ac186072174b99b48ea05 |
| SHA256 | de92f14480770401e39e22dcf3dd36de5ad3ed22e44584c31c37cd99e71c4a43 |
| SHA512 | ea068186a2e611fb98b9580f2c5ba6fd1f31b532e021ef9669e068150c27deee3d60fd9ff7567b9eb5d0f98926b24defabc9b64675b49e02a6f10e71bb714ac8 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ca.pak
| MD5 | 4cd6b3a91669ddcfcc9eef9b679ab65c |
| SHA1 | 43c41cb00067de68d24f72e0f5c77d3b50b71f83 |
| SHA256 | 56efff228ee3e112357d6121b2256a2c3acd718769c89413de82c9d4305459c6 |
| SHA512 | 699be9962d8aae241abd1d1f35cd8468ffbd6157bcd6bdf2c599d902768351b247baad6145b9826d87271fd4a19744eb11bf7065db7fefb01d66d2f1f39015a9 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\et.pak
| MD5 | ccc71f88984a7788c8d01add2252d019 |
| SHA1 | 6a87752eac3044792a93599428f31d25debea369 |
| SHA256 | d69489a723b304e305cb1767e6c8da5d5d1d237e50f6ddc76e941dcb01684944 |
| SHA512 | d35ccd639f2c199862e178a9fab768d7db10d5a654bc3bc1fab45d00ceb35a01119a5b4d199e2db3c3576f512b108f4a1df7faf6624d961c0fc4bca5af5f0e07 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\es.pak
| MD5 | 04a9ba7316dc81766098e238a667de87 |
| SHA1 | 24d7eb4388ecdfecada59c6a791c754181d114de |
| SHA256 | 7fa148369c64bc59c2832d617357879b095357fe970bab9e0042175c9ba7cb03 |
| SHA512 | 650856b6187df41a50f9bed29681c19b4502de6af8177b47bad0bf12e86a25e92aa728311310c28041a18e4d9f48ef66d5ad5d977b6662c44b49bfd1da84522b |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\es-419.pak
| MD5 | 7da3e8aa47ba35d014e1d2a32982a5bb |
| SHA1 | 8e35320b16305ad9f16cb0f4c881a89818cd75bb |
| SHA256 | 7f85673cf80d1e80acfc94fb7568a8c63de79a13a1bb6b9d825b7e9f338ef17c |
| SHA512 | 1fca90888eb067972bccf74dd5d09bb3fce2ceb153589495088d5056ed4bdede15d54318af013c2460f0e8b5b1a5c6484adf0ed84f4b0b3c93130b086da5c3bf |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\en-US.pak
| MD5 | 19d18f8181a4201d542c7195b1e9ff81 |
| SHA1 | 7debd3cf27bbe200c6a90b34adacb7394cb5929c |
| SHA256 | 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb |
| SHA512 | af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\en-GB.pak
| MD5 | 825ed4c70c942939ffb94e77a4593903 |
| SHA1 | 7a3faee9bf4c915b0f116cb90cec961dda770468 |
| SHA256 | e11e8db78ae12f8d735632ba9fd078ec66c83529cb1fd86a31ab401f6f833c16 |
| SHA512 | 41325bec22af2e5ef8e9b26c48f2dfc95763a249ccb00e608b7096ec6236ab9a955de7e2340fd9379d09ac2234aee69aed2a24fe49382ffd48742d72a929c56a |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\el.pak
| MD5 | e66a75680f21ce281995f37099045714 |
| SHA1 | d553e80658ee1eea5b0912db1ecc4e27b0ed4790 |
| SHA256 | 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f |
| SHA512 | d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\de.pak
| MD5 | cf22ec11a33be744a61f7de1a1e4514f |
| SHA1 | 73e84848c6d9f1a2abe62020eb8c6797e4c49b36 |
| SHA256 | 7cc213e2c9a2d2e2e463083dd030b86da6bba545d5cee4c04df8f80f9a01a641 |
| SHA512 | c10c8446e3041d7c0195da184a53cfbd58288c06eaf8885546d2d188b59667c270d647fa7259f5ce140ec6400031a7fc060d0f2348ab627485e2207569154495 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\da.pak
| MD5 | e7ba94c827c2b04e925a76cb5bdd262c |
| SHA1 | abba6c7fcec8b6c396a6374331993c8502c80f91 |
| SHA256 | d8da7ab28992c8299484bc116641e19b448c20adf6a8b187383e2dba5cd29a0b |
| SHA512 | 1f44fce789cf41fd62f4d387b7b8c9d80f1e391edd2c8c901714dd0a6e3af32266e9d3c915c15ad47c95ece4c7d627aa7339f33eea838d1af9901e48edb0187e |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\fa.pak
| MD5 | 2e37fd4e23a1707a1eccea3264508dff |
| SHA1 | e00e58ed06584b19b18e9d28b1d52dbfc36d70f3 |
| SHA256 | b9ee861e1bdecffe6a197067905279ea77c180844a793f882c42f2b70541e25e |
| SHA512 | 7c467f434eb0ce8e4a851761ae9bd7a9e292aab48e8e653e996f8ca598d0eb5e07ec34e2b23e544f3b38439dc3b8e3f7a0dfd6a8e28169aa95ceff42bf534366 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\hi.pak
| MD5 | b5dfce8e3ba0aec2721cc1692b0ad698 |
| SHA1 | c5d6fa21a9ba3d526f3e998e3f627afb8d1eecf3 |
| SHA256 | b1c7fb6909c8a416b513d6de21eea0b5a6b13c7f0a94cabd0d9154b5834a5e8b |
| SHA512 | facf0a9b81af6bb35d0fc5e69809d5c986a2c91a166e507784bdad115644b96697fe504b8d70d9bbb06f0c558f746c085d37e385eef41f0a1c29729d3d97980f |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\he.pak
| MD5 | fc84ea7dc7b9408d1eea11beeb72b296 |
| SHA1 | de9118194952c2d9f614f8e0868fb273ddfac255 |
| SHA256 | 15951767dafa7bdbedac803d842686820de9c6df478416f34c476209b19d2d8c |
| SHA512 | 49d13976dddb6a58c6fdcd9588e243d705d99dc1325c1d9e411a1d68d8ee47314dfcb661d36e2c4963c249a1542f95715f658427810afcabdf9253aa27eb3b24 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\gu.pak
| MD5 | 308619d65b677d99f48b74ccfe060567 |
| SHA1 | 9f834df93fd48f4fb4ca30c4058e23288cf7d35e |
| SHA256 | e40ee4f24839f9e20b48d057bf3216bc58542c2e27cb40b9d2f3f8a1ea5bfbb4 |
| SHA512 | 3ca84ad71f00b9f7cc61f3906c51b263f18453fce11ec6c7f9edfe2c7d215e3550c336e892bd240a68a6815af599cc20d60203294f14adb133145ca01fe4608f |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\fr.pak
| MD5 | 3ee48a860ecf45bafa63c9284dfd63e2 |
| SHA1 | 1cb51d14964f4dced8dea883bf9c4b84a78f8eb6 |
| SHA256 | 1923e0edf1ef6935a4a718e3e2fc9a0a541ea0b4f3b27553802308f9fd4fc807 |
| SHA512 | eb6105faca13c191fef0c51c651a406b1da66326bb5705615770135d834e58dee9bed82aa36f2dfb0fe020e695c192c224ec76bb5c21a1c716e5f26dfe02f763 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\fil.pak
| MD5 | d7df2ea381f37d6c92e4f18290c6ffe0 |
| SHA1 | 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4 |
| SHA256 | db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a |
| SHA512 | 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\fi.pak
| MD5 | 21e534869b90411b4f9ea9120ffb71c8 |
| SHA1 | cc91ffbd19157189e44172392b2752c5f73984c5 |
| SHA256 | 2d337924139ffe77804d2742eda8e58d4e548e65349f827840368e43d567810b |
| SHA512 | 3ca3c0adaf743f92277452b7bd82db4cf3f347de5568a20379d8c9364ff122713befd547fbd3096505ec293ae6771ada4cd3dadac93cc686129b9e5aacf363bd |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\hu.pak
| MD5 | 2aa0a175df21583a68176742400c6508 |
| SHA1 | 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a |
| SHA256 | b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72 |
| SHA512 | 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\id.pak
| MD5 | b6fcd5160a3a1ae1f65b0540347a13f2 |
| SHA1 | 4cf37346318efb67908bba7380dbad30229c4d3d |
| SHA256 | 7fd715914e3b0cf2048d4429f3236e0660d5bd5e61623c8fef9b8e474c2ac313 |
| SHA512 | a8b4a96e8f9a528b2df3bd1251b72ab14feccf491dd254a7c6ecba831dfaba328adb0fd0b4acddb89584f58f94b123e97caa420f9d7b34131cc51bdbdbf3ed73 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ja.pak
| MD5 | 38cd3ef9b7dff9efbbe086fa39541333 |
| SHA1 | 321ef69a298d2f9830c14140b0b3b0b50bd95cb0 |
| SHA256 | d8fab5714dafecb89b3e5fce4c4d75d2b72893e685e148e9b60f7c096e5b3337 |
| SHA512 | 40785871032b222a758f29e0c6ec696fbe0f6f5f3274cc80085961621bec68d7e0fb47c764649c4dd0c27c6ee02460407775fae9d3a2a8a59362d25a39266ce0 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\it.pak
| MD5 | 745f16ca860ee751f70517c299c4ab0e |
| SHA1 | 54d933ad839c961dd63a47c92a5b935eef208119 |
| SHA256 | 10e65f42ce01ba19ebf4b074e8b2456213234482eadf443dfad6105faf6cde4c |
| SHA512 | 238343d6c80b82ae900f5abf4347e542c9ea016d75fb787b93e41e3c9c471ab33f6b4584387e5ee76950424e25486dd74b9901e7f72876960c0916c8b9cee9a6 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\hr.pak
| MD5 | 255f808210dbf995446d10ff436e0946 |
| SHA1 | 1785d3293595f0b13648fb28aec6936c48ea3111 |
| SHA256 | 4df972b7f6d81aa7bdc39e2441310a37f746ae5015146b4e434a878d1244375b |
| SHA512 | 8b1a4d487b0782055717b718d58cd21e815b874e2686cdfd2087876b70ae75f9182f783c70bf747cf4ca17a3afc68517a9db4c99449fa09bef658b5e68087f2a |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ml.pak
| MD5 | 1c81104ac2cbf7f7739af62eb77d20d5 |
| SHA1 | 0f0d564f1860302f171356ea35b3a6306c051c10 |
| SHA256 | 66005bc01175a4f6560d1e9768dbc72b46a4198f8e435250c8ebc232d2dac108 |
| SHA512 | 969294eae8c95a1126803a35b8d3f1fc3c9d22350aa9cc76b2323b77ad7e84395d6d83b89deb64565783405d6f7eae40def7bdaf0d08da67845ae9c7dbb26926 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\lv.pak
| MD5 | a8cbd741a764f40b16afea275f240e7e |
| SHA1 | 317d30bbad8fd0c30de383998ea5be4eec0bb246 |
| SHA256 | a1a9d84fd3af571a57be8b1a9189d40b836808998e00ec9bd15557b83d0e3086 |
| SHA512 | 3da91c0ca20165445a2d283db7dc749fcf73e049bfff346b1d79b03391aefc7f1310d3ac2c42109044cfb50afcf178dcf3a34b4823626228e591f328dd7afe95 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\lt.pak
| MD5 | 64b08ffc40a605fe74ecc24c3024ee3b |
| SHA1 | 516296e8a3114ddbf77601a11faf4326a47975ab |
| SHA256 | 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e |
| SHA512 | 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ko.pak
| MD5 | d6194fc52e962534b360558061de2a25 |
| SHA1 | 98ed833f8c4beac685e55317c452249579610ff8 |
| SHA256 | 1a5884bd6665b2f404b7328de013522ee7c41130e57a53038fc991ec38290d21 |
| SHA512 | 5207a07426c6ceb78f0504613b6d2b8dadf9f31378e67a61091f16d72287adbc7768d1b7f2a923369197e732426d15a872c091cf88680686581d48a7f94988ab |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\kn.pak
| MD5 | caab4deb1c40507848f9610d849834cf |
| SHA1 | 1bc87ff70817ba1e1fdd1b5cb961213418680cbe |
| SHA256 | 7a34483e6272f9b8881f0f5a725b477540166561c75b9e7ab627815d4be1a8a4 |
| SHA512 | dc4b63e5a037479bb831b0771aec0fe6eb016723bcd920b41ab87ef11505626632877073ce4e5e0755510fe19ba134a7b5899332ecef854008b15639f915860c |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ms.pak
| MD5 | aee105366a1870b9d10f0f897e9295db |
| SHA1 | eee9d789a8eeafe593ce77a7c554f92a26a2296f |
| SHA256 | c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939 |
| SHA512 | 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\mr.pak
| MD5 | 2cf9f07ddf7a3a70a48e8b524a5aed43 |
| SHA1 | 974c1a01f651092f78d2d20553c3462267ddf4e9 |
| SHA256 | 23058c0f71d9e40f927775d980524d866f70322e0ef215aa5748c239707451e7 |
| SHA512 | 0b21570deefa41defc3c25c57b3171635bcb5593761d48a8116888ce8be34c1499ff79c7a3ebbe13b5a565c90027d294c6835e92e6254d582a86750640fe90f2 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\nl.pak
| MD5 | 0f04bac280035fab018f634bcb5f53ae |
| SHA1 | 4cad76eaecd924b12013e98c3a0e99b192be8936 |
| SHA256 | be254bcda4dbe167cb2e57402a4a0a814d591807c675302d2ce286013b40799b |
| SHA512 | 1256a6acac5a42621cb59eb3da42ddeeacfe290f6ae4a92d00ebd4450a8b7ccb6f0cd5c21cf0f18fe4d43d0d7aee87b6991fef154908792930295a3871fa53df |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\nb.pak
| MD5 | 55d5ad4eacb12824cfcd89470664c856 |
| SHA1 | f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673 |
| SHA256 | 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261 |
| SHA512 | 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\sl.pak
| MD5 | ca763e801de642e4d68510900ff6fabb |
| SHA1 | c32a871831ce486514f621b3ab09387548ee1cff |
| SHA256 | 340e0babe5fddbfda601c747127251cf111dd7d79d0d6a5ec4e8443b835027de |
| SHA512 | e2847ce75de57deb05528dd9557047edcd15d86bf40a911eb97e988a8fdbda1cd0e0a81320eadf510c91c826499a897c770c007de936927df7a1cc82fa262039 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\sk.pak
| MD5 | b7e97cc98b104053e5f1d6a671c703b7 |
| SHA1 | 0f7293f1744ae2cd858eb3431ee016641478ae7d |
| SHA256 | b0d38869275d9d295e42b0b90d0177e0ca56a393874e4bb454439b8ce25d686f |
| SHA512 | ef3247c6f0f4065a4b68db6bf7e28c8101a9c6c791b3f771ed67b5b70f2c9689cec67a1c864f423382c076e4cbb6019c1c0cb9ad0204454e28f749a69b6b0de0 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ru.pak
| MD5 | 2885bde990ee3b30f2c54a4067421b68 |
| SHA1 | ae16c4d534b120fdd68d33c091a0ec89fd58793f |
| SHA256 | 9fcda0d1fab7fff7e2f27980de8d94ff31e14287f58bd5d35929de5dd9cbcdca |
| SHA512 | f7781f5c07fbf128399b88245f35055964ff0cde1cc6b35563abc64f520971ce9916827097ca18855b46ec6397639f5416a6e8386a9390afba4332d47d21693f |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ro.pak
| MD5 | d2758f6adbaeea7cd5d95f4ad6dde954 |
| SHA1 | d7476db23d8b0e11bbabf6a59fde7609586bdc8a |
| SHA256 | 2b7906f33bfbe8e9968bcd65366e2e996cdf2f3e1a1fc56ad54baf261c66954c |
| SHA512 | 8378032d6febea8b5047ada667cb19e6a41f890cb36305acc2500662b4377caef3dc50987c925e05f21c12e32c3920188a58ee59d687266d70b8bfb1b0169a6e |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\pt-PT.pak
| MD5 | b4954b064e3f6a9ba546dda5fa625927 |
| SHA1 | 584686c6026518932991f7de611e2266d8523f9d |
| SHA256 | ee1e014550b85e3d18fb5128984a713d9f6de2258001b50ddd18391e7307b4a1 |
| SHA512 | cb3b465b311f83b972eca1c66862b2c5d6ea6ac15282e0094aea455123ddf32e85df24a94a0aedbe1b925ff3ed005ba1e00d5ee820676d7a5a366153ade90ef7 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\pt-BR.pak
| MD5 | 8e931ffbded8933891fb27d2cca7f37d |
| SHA1 | ab0a49b86079d3e0eb9b684ca36eb98d1d1fd473 |
| SHA256 | 6632bd12f04a5385012b5cdebe8c0dad4a06750dc91c974264d8fe60e8b6951d |
| SHA512 | cf0f6485a65c13cf5ddd6457d34cdea222708b0bb5ca57034ed2c4900fd22765385547af2e2391e78f02dcf00b7a2b3ac42a3509dd4237581cfb87b8f389e48d |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\pl.pak
| MD5 | f1d48a7dcd4880a27e39b7561b6eb0ab |
| SHA1 | 353c3ba213cd2e1f7423c6ba857a8d8be40d8302 |
| SHA256 | 2593c8b59849fbc690cbd513f06685ea3292cd0187fcf6b9069cbf3c9b0e8a85 |
| SHA512 | 132da2d3c1a4dad5ccb399b107d7b6d9203a4b264ef8a65add11c5e8c75859115443e1c65ece2e690c046a82687829f54ec855f99d4843f859ab1dd7c71f35a5 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\sv.pak
| MD5 | 272f8a8b517c7283eab83ba6993eea63 |
| SHA1 | ad4175331b948bd4f1f323a4938863472d9b700c |
| SHA256 | d15b46bc9b5e31449b11251df19cd2ba4920c759bd6d4fa8ca93fd3361fdd968 |
| SHA512 | 3a0930b7f228a779f727ebfb6ae8820ab5cc2c9e04c986bce7b0f49f9bf124f349248ecdf108edf8870f96b06d58dea93a3e0e2f2da90537632f2109e1aa65f0 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\sr.pak
| MD5 | c68c235d8e696c098cf66191e648196b |
| SHA1 | 5c967fbbd90403a755d6c4b2411e359884dc8317 |
| SHA256 | ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b |
| SHA512 | 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ta.pak
| MD5 | 18ec8ff3c0701a6a8c48f341d368bab5 |
| SHA1 | 8bff8aee26b990cf739a29f83efdf883817e59d8 |
| SHA256 | 052bcdb64a80e504bb6552b97881526795b64e0ab7ee5fc031f3edf87160dee9 |
| SHA512 | a0e997fc9d316277de3f4773388835c287ab1a35770c01e376fb7428ff87683a425f6a6a605d38dd7904ca39c50998cd85f855cb33ae6abad47ac85a1584fe4e |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\sw.pak
| MD5 | 67a443a5c2eaad32625edb5f8deb7852 |
| SHA1 | a6137841e8e7736c5ede1d0dc0ce3a44dc41013f |
| SHA256 | 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd |
| SHA512 | e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\uk.pak
| MD5 | 361a0e1f665b9082a457d36209b92a25 |
| SHA1 | 3c89e1b70b51820bb6baa64365c64da6a9898e2f |
| SHA256 | bd02966f6c6258b66eae7ff014710925e53fe26e8254d7db4e9147266025cc3a |
| SHA512 | d4d25fc58053f8cce4c073846706dc1ecbc0dc19308ba35501e19676f3e7ed855d7b57ae22a5637f81cefc1aa032bf8770d0737df1924f3504813349387c08cf |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\tr.pak
| MD5 | 5ff2e5c95067a339e3d6b8985156ec1f |
| SHA1 | 7525b25c7b07f54b63b6459a0d8c8c720bd8a398 |
| SHA256 | 14a131ba318274cf10de533a19776db288f08a294cf7e564b7769fd41c7f2582 |
| SHA512 | 2414386df8d7ab75dcbd6ca2b9ae62ba8e953ddb8cd8661a9f984eb5e573637740c7a79050b2b303af3d5b1d4d1bb21dc658283638718fdd04fc6e5891949d1b |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\th.pak
| MD5 | a32ba63feeed9b91f6d6800b51e5aeae |
| SHA1 | 2fbf6783996e8315a4fb94b7d859564350ee5918 |
| SHA256 | e32e37ca0ab30f1816fe6df37e3168e1022f1d3737c94f5472ab6600d97a45f6 |
| SHA512 | adebde0f929820d8368096a9c30961ba7b33815b0f124ca56ca05767ba6d081adf964088cb2b9fcaa07f756b946fffa701f0b64b07d457c99fd2b498cbd1e8a5 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\te.pak
| MD5 | a17f16d7a038b0fa3a87d7b1b8095766 |
| SHA1 | b2f845e52b32c513e6565248f91901ab6874e117 |
| SHA256 | d39716633228a5872630522306f89af8585f8092779892087c3f1230d21a489e |
| SHA512 | 371fb44b20b8aba00c4d6f17701fa4303181ad628f60c7b4218e33be7026f118f619d66d679bffcb0213c48700fafd36b2e704499a362f715f63ea9a75d719e7 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\ur.pak
| MD5 | 1ca4fa13bd0089d65da7cd2376feb4c6 |
| SHA1 | b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c |
| SHA256 | 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f |
| SHA512 | d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\zh-TW.pak
| MD5 | 2456bf42275f15e016689da166df9008 |
| SHA1 | 70f7de47e585dfea3f5597b5bba1f436510decd7 |
| SHA256 | adf8df051b55507e5a79fa47ae88c7f38707d02dfac0cc4a3a7e8e17b58c6479 |
| SHA512 | 7e622afa15c70785aaf7c19604d281efe0984f621d6599058c97c19d3c0379b2ee2e03b3a7ec597040a4eee250a782d7ec55c335274dd7db7c7ca97ddcfd378a |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\zh-CN.pak
| MD5 | 82326e465e3015c64ca1db77dc6a56bc |
| SHA1 | e8abe12a8dd2cc741b9637fa8f0e646043bbfe3d |
| SHA256 | 6655fd9dcdfaf2abf814ffb6c524d67495aed4d923a69924c65abeab30bc74fb |
| SHA512 | 4989789c0b2439666dda4c4f959dffc0ddcb77595b1f817c13a95ed97619c270151597160320b3f2327a7daffc8b521b68878f9e5e5fb3870eb0c43619060407 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\locales\vi.pak
| MD5 | db0eb3183007de5aae10f934fffacc59 |
| SHA1 | e9ea7aeffe2b3f5cf75ab78630da342c6f8b7fd9 |
| SHA256 | ddabb225b671b989789e9c2ccd1b5a8f22141a7d9364d4e6ee9b8648305e7897 |
| SHA512 | 703efd12fcace8172c873006161712de1919572c58d98b11de7834c5628444229f5143d231c41da5b9cf729e32de58dee3603cb3d18c6cdd94aa9aa36fbf5de0 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\7z-out\resources\app.asar
| MD5 | e8b8463ed9b6c6eb33673eb1de812808 |
| SHA1 | b9f2d2002fb749d739243da8db7f4cb49951a3f1 |
| SHA256 | f37f314de372e70251bc74a90e3368bdbace99f6b305c2969cce863cb1720ee0 |
| SHA512 | a440b5ef962817f829679e6acfe0b4c889a368a70eb5daaf3a0e3e6230be56c846d60a1896f6bd218ca292dfe3a788f0a940f192bd4ad8e3c03afd8f090b32f1 |
C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\ProgramData\Epic\Launcher\ffmpeg.dll
| MD5 | 4e9396bc17f2e973e810207dd5e7a5c3 |
| SHA1 | 4c8d59b97dd38feba0049e7236808273ba006c79 |
| SHA256 | accd0ca6f0fe97a022d43fe77f7e0d829c43a8ce895b25316c01ca7b095e1e6b |
| SHA512 | 94f39b215205377b8c4816c3c69fea60cfb87af39cfdab22ea60c8dfc1d8aced3e5a53761bbf718b8d2f9e24d14a7c553a8ecdb1a41ee8ac43ae05f95b119460 |
C:\ProgramData\Epic\Launcher\ffmpeg.dll
| MD5 | f366ce90f2f767a1e0a9316012e323a3 |
| SHA1 | 645e9da4c7aac433f6df133bde4db7d89b62b8f0 |
| SHA256 | f875b58d414c43fbdc210172e6554954c8bb81feeb5a64cd946554b16b0935a1 |
| SHA512 | 7b5ca33ac62253f70c83d3fff4fd14afa51ba86d03f003c0d7cea8cacf7707c564cf62c3bc62cb03205ad1689175f5a5845daab334278274bec92382f26b3be2 |
C:\ProgramData\Epic\Launcher\SetupFile.exe
| MD5 | 316dfe405567434b4be07220b3f627fa |
| SHA1 | ffd31f1423dd7e83cf97d9d36f3b15a550a45d3b |
| SHA256 | 79c3000b169e56ac4a1e7755db0a6914428d3eb747df4596692f918baa66d41c |
| SHA512 | f1eb9351e3db5157e95b9f65b2ca13656a979616c920832ea0c0f386424507498a0aa297ffef16f9817663925e927b302bef6966fe0cc030ff8806e7bb4aaec9 |
C:\ProgramData\Epic\Launcher\icudtl.dat
| MD5 | 8c1b5a2a94b9288e10e353b4e36a62c9 |
| SHA1 | 22fcbc3ec4b5af3edf2b468197980f6cb85bcf34 |
| SHA256 | fc30d1592b23e07e6196e0e9bfb5c6e8af3480048d11bd6df3594325587f9a48 |
| SHA512 | a8402acf839c5144f8da3a078a9d22e88649b3ca9e60404a7afdd99ea2f4f75bffc5a2a5329b28e08d4302f857c553558de7b83bab61726c3470436d9ae5bb14 |
C:\ProgramData\Epic\Launcher\v8_context_snapshot.bin
| MD5 | 406179ef7b956fca07d8e3c152f94865 |
| SHA1 | c157241ce125aa47fe750bc7cd0c33a026d895e1 |
| SHA256 | a3eaae73891e5059cfbaa75303cb4c4b2cc9ed15e7cb9b574653233825474e25 |
| SHA512 | 8457e575ba86360790e936ae0ee1ea9c258f46dc4d1277c3a54567d01914b57771315e4d5cf18d5abb768ddd8d1a51c2d8af183d7125c9c1a31f74417bb8eed8 |
C:\ProgramData\Epic\Launcher\resources\app.asar
| MD5 | d67ebd2a2055228af96127cc694761b2 |
| SHA1 | e431ed8dfe1a3c31043f9035c43c22ccce9e010a |
| SHA256 | 23ecea7ae65ebdad05bfae8854b1ac81d62864c583e732d6546db0cbc743e1c1 |
| SHA512 | 515f34fb1561901da6fef816cc5551b29137a6c378a7500d8f793a90d5b36300449e023555be2c9451bdf9b670a1610c4f44ed585f8771ca655f43d2eb0937ad |
C:\Users\Admin\AppData\Local\Temp\31b07d81-b476-4829-94a0-c8aa35851d74.tmp.node
| MD5 | 7109b457291999007a14e712ce05e256 |
| SHA1 | 6b2f1a7f01628f6169b1e7c8e0b72dc8e10b80cd |
| SHA256 | 9b26dbbcc3a48a9f9c312ccb70cde94012bb565fef4cd3b4bb9876d0ff10c027 |
| SHA512 | 10254111888c5dee0b69d9f9dd0bf67276595f078cd87db7a0b9814062f9504be81e490bf088798a07c08f9357b288c0140f02da111967b5996356b31621c897 |
memory/2544-545-0x00000269EA820000-0x00000269EA842000-memory.dmp
memory/2544-550-0x00007FFE0BE20000-0x00007FFE0C8E1000-memory.dmp
memory/2544-552-0x00000269EA870000-0x00000269EA880000-memory.dmp
memory/2544-551-0x00000269EA870000-0x00000269EA880000-memory.dmp
memory/2544-553-0x00000269EB710000-0x00000269EB760000-memory.dmp
memory/2544-557-0x00007FFE0BE20000-0x00007FFE0C8E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
memory/4720-571-0x00007FFE0BE20000-0x00007FFE0C8E1000-memory.dmp
memory/4720-573-0x000002B5A2340000-0x000002B5A2350000-memory.dmp
memory/4720-572-0x000002B5A2340000-0x000002B5A2350000-memory.dmp
memory/4720-576-0x00007FFE0BE20000-0x00007FFE0C8E1000-memory.dmp
C:\ProgramData\Epic\Launcher\ffmpeg.dll
| MD5 | d5a79221f90eeb2fca1a7bf102dcbb23 |
| SHA1 | 0f36555b57809aa58a7f9dc4fc27796e4d25aa8f |
| SHA256 | c40532f4911bd48bef0ba065918252add0228c5557bdbfd8aa653030acfe7fe7 |
| SHA512 | a1c5bff97cbdc8a5fce0fcd22f36f95fdccfb3966507e06a6b588897b7cff7f873096a85d10a90e870b851948ede13201d1569bc28936a36d0b68761230e879d |
C:\ProgramData\Epic\Launcher\d3dcompiler_47.dll
| MD5 | 8d0220f17d847b6e3b39a174262e8eae |
| SHA1 | db374a5b8575844f7033ddeaa49997ad0c9723c1 |
| SHA256 | fe177bd3a6d0b61b61c11d89cd44b5b89b1ed07dd0182473e32efbd767e8694c |
| SHA512 | c50d44fbf93ac9ae24b7e6178df88dc3422c3d176c6bfee6753d47bb194e0c8fd6e08d356a0ce243eaa859729f2a6840b15b6009d4d776a6ca83c1065adabb9d |
C:\ProgramData\Epic\Launcher\ffmpeg.dll
| MD5 | 328f7071482b099698f5eef1fd828357 |
| SHA1 | 4b31f7000b8acff81a058d9d4090c12262ab9eca |
| SHA256 | e3ab10960149c099df463e0a08adf5e6576fae41299bc693569e7b1fc7c8df2e |
| SHA512 | 86e350b823b5c05bde5bc92ded98d4fb4540b8c7e86b3fc1680e10d81dc92f40f032a3fb75173eadab4124a7cb5c8ccb6708f4c80c7e000dbb20f21e62870dbc |
C:\ProgramData\Epic\Launcher\SetupFile.exe
| MD5 | 95bbb277e48e63146149190ac7e1d3a7 |
| SHA1 | e52d1374c644e6fc8fe424ba4c3e8e40d40eefe8 |
| SHA256 | aaf8e70925559a296a52f80e8f409bf649487fc8e29e363c9574db28354e703d |
| SHA512 | 3f53b36708e2c8033df740469ab424e8cf5338228c693efe967e19d260ce9a967763a900bacd6bd3469f3bd5136f0113e566a906e48c8d0770f1581cc85ca0a6 |
C:\ProgramData\Epic\Launcher\vk_swiftshader.dll
| MD5 | 8611fc5f0effffa7ecf8281d65700599 |
| SHA1 | ad3df2fb6ad45a862634807b33450ccd64872573 |
| SHA256 | 695bfcd14ff296e78fd7e1834130bcabbb636361dd66928ff8a5f38418b11c54 |
| SHA512 | 421ed734e0f9d5f86c8572002432d8ed05e7ee9b3a359897a064379a184077fe96ded95c45257288b7f0bc34c02584ada6869962e1c59bf9a15fbe3ac3c2f193 |
C:\ProgramData\Epic\Launcher\vk_swiftshader.dll
| MD5 | 5f168dce3d29463060e38a97edbc295e |
| SHA1 | 49bad2d5469585841c456b7b5effa17cd189da86 |
| SHA256 | 4bf30d5460901343e9cc75e875c9ab442fca9a244f11149d7da4b4e3f7f42932 |
| SHA512 | 033a025d37e46891dba7dc184c0e503f9a55f6966a5038e2b62869f1a90af86006737892a7e94cf0e468d589946ab8179d76cd09cebb048d6f7d8ba5760e0a24 |
C:\ProgramData\Epic\Launcher\libegl.dll
| MD5 | ee08b595445d1da168446fa571aa2b4b |
| SHA1 | e033097f5ed77fb93503183404307c1e72929239 |
| SHA256 | f3995757d654791da4165e461d920f2618de203008b5d5def6940885d46c79a8 |
| SHA512 | 04de2aebb1a04f276a19498350eeaa0aa4e502a715cdbc7186a51118fa0cf13846b7269e2f9d8dbbf1d2240dc6e6cbde6e483d3ab58e2867cba546226ef268d5 |
C:\ProgramData\Epic\Launcher\libGLESv2.dll
| MD5 | 1ae965f91014e3c7329ce52d0d7dc94d |
| SHA1 | fdbf4257d59ba530d73b640871b6e69a5d111674 |
| SHA256 | 11ba7b38f214d0bddfd0bc1853bf1ab6680be1dba3496907f7ca17af38a50d25 |
| SHA512 | 8f1f23a97cded679f97e9843c5ff4e3987115deb51fbb74fb33f07fc3f5c2245d2a788067d08162851e4b9acd2443bab70cd2c5a2885f6e0efb0a754ca4ad65c |
C:\ProgramData\Epic\Launcher\libglesv2.dll
| MD5 | d9c73202a4cd96875c4566c56aec47c4 |
| SHA1 | 3ed3f2be3263c80d8d7fa705702cd2a398efa78a |
| SHA256 | fee462194e2f25f110a0e1f468387be296f983ad59c55d8b3e6153d3fe5c5163 |
| SHA512 | d1357f8791cc58d8602e89ffd615f7c5c13afa426abbc1506d0e250a24ba91296978e133edcdcd24ec6506a619e132b866340d8bb72d06e1338c1ee4a67e147d |
C:\ProgramData\Epic\Launcher\D3DCompiler_47.dll
| MD5 | 17a9f28ba9fd29d23d9a290b21d13800 |
| SHA1 | 50047dca9e42111472fc38777f4659d1738f456c |
| SHA256 | 2de26fa1f1c1628be38ba992596a78bd059cc0d3403b960f1c9c6b2cf2aec82d |
| SHA512 | 160c6d50995ba0751085fa82ce21d41a4e91687b3bf4ab94b90f46ee336255b7bbebee3d3df494215a159570832e8c0435ba725e125dd0ed4254ebfb1804d811 |
C:\ProgramData\Epic\Launcher\SetupFile.exe
| MD5 | c04f8b6bdbde9f3b80abaa611014cb20 |
| SHA1 | 910d5ccfade2cd186dda7dbac1526f6b425df24c |
| SHA256 | 98ba655b5b77dba8fd969b13be3b824739e653c3f4dff751f90f86b5a8132237 |
| SHA512 | c7553c3d092ed172f6c6b8070a58defe34ca5e6f1238f29969b1ec3ed75818c59577d093ebe2f66609830e366f320ffe49766632b6660b49adfbd04dda53e999 |
C:\ProgramData\Epic\Launcher\SetupFile.exe
| MD5 | d797d2ff246b4faac3dd49ebad2683e8 |
| SHA1 | 3970af9e0d9e7bb9cf64794d62623bcd5737d3c6 |
| SHA256 | 579433625eca378f0692950454f1a818c79d907691679ad5ae4d37297c62fb2c |
| SHA512 | 04e563ac9924cfd28f4666082c066872c086e8be254e972eb97b0691fca280a6ef2b1274d981cb73c29558bc3d5ed9b2dd41e7bde3742c0dcea0ef404276b88d |
C:\ProgramData\Epic\Launcher\resources.pak
| MD5 | f7368be9474215f3a47a3ccdaec7aa77 |
| SHA1 | a1b53b741bd7aa8ff08885e3b0769fe0de277b11 |
| SHA256 | dfbcae43a84db44cdef8512d59eddbf37c7e4013e7097e5f02389cbcae80129c |
| SHA512 | 012e68e420228925f33a1d82649d47dc401421163395c701f5442fbdbde1784316429ffa4457964db15e1716ab7840c6c195f34dc151e05e83629800b0dafc20 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | edde8f0d1c2b354e54dfe40cc569eab0 |
| SHA1 | 527e75e7d1bcbd62eddb32544e5f8e0a5a09296a |
| SHA256 | 0f34a5a9c6db0916597e6f822b6619350204fe2f1ff21a4e10c87098f33e5d41 |
| SHA512 | 039f8707b428dee74545279c435975a07a2b4743819f67270188beb12cc9bce9233b0b3e81c4219ea31a530952f297a7bf63b9c61ba0950acbccab753db182fd |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxov4fcw.3r5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240221-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 224
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
133s
Max time network
165s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4744 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.80.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x40c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
memory/4556-0-0x000002AB4D680000-0x000002AB4D6A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0soquht.2y5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4556-10-0x00007FFEF6EC0000-0x00007FFEF7981000-memory.dmp
memory/4556-11-0x000002AB4D670000-0x000002AB4D680000-memory.dmp
memory/4556-12-0x000002AB4D670000-0x000002AB4D680000-memory.dmp
memory/4556-15-0x00007FFEF6EC0000-0x00007FFEF7981000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win7-20240215-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2272 wrote to memory of 2244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2272 wrote to memory of 2244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2272 wrote to memory of 2244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2272 -s 80
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-02 21:28
Reported
2024-03-02 22:41
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
160s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |