Malware Analysis Report

2025-01-02 08:04

Sample ID 240509-k5e45aab91
Target Bitwarden-Portable-2024.4.1.exe
SHA256 e3d958c0be09c74f6ae0a947388ad2a52be5d149fa682badcbb24338fb0edc38
Tags
privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3d958c0be09c74f6ae0a947388ad2a52be5d149fa682badcbb24338fb0edc38

Threat Level: Known bad

The file Bitwarden-Portable-2024.4.1.exe was found to be: Known bad.

Malicious Activity Summary

privateloader

Privateloader family

Checks computer location settings

Drops file in System32 directory

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 09:15

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240419-en

Max time kernel

118s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\da.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\da.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 65d0368b2d5aa8044f4ee5ad0bdd3e3c
SHA1 65904bb1a95fc3690d8c59c65491543793e1b1d8
SHA256 8ae6f0ac9b6a93a0aec51bd87943c44262dd92803d633d3adc02d3fd2e13f41f
SHA512 fb0b3e978ef24d9661f5f00040cb6aa483962ad8bdde01423eecdd8256903f53d3971eb68fc3ab9aade9cc53ed78de5401e7a20a9cf3f5e9edecc94f55eb76b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

151s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 3572 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe
PID 1804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe

"C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe"

C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

"C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1872 --field-trial-handle=1876,i,14173817748171963317,9242828529418199753,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

"C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata" --mojo-platform-channel-handle=2072 --field-trial-handle=1876,i,14173817748171963317,9242828529418199753,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

"C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata" --app-path="C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2680 --field-trial-handle=1876,i,14173817748171963317,9242828529418199753,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

"C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3456 --field-trial-handle=1876,i,14173817748171963317,9242828529418199753,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 api.bitwarden.com udp
US 8.8.8.8:53 api.bitwarden.com udp
US 151.101.1.91:443 api.bitwarden.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 91.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\chrome_100_percent.pak

MD5 4fc6564b727baa5fecf6bf3f6116cc64
SHA1 6ced7b16dc1abe862820dfe25f4fe7ead1d3f518
SHA256 b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb
SHA512 fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\chrome_200_percent.pak

MD5 47668ac5038e68a565e0a9243df3c9e5
SHA1 38408f73501162d96757a72c63e41e78541c8e8e
SHA256 fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32
SHA512 5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\ffmpeg.dll

MD5 58ba064ac950343e96cf118a3e9ed001
SHA1 6bb854500a36faec17dc47581bc106c6e9d28ce7
SHA256 cb8217c88a66091dbc93e72f17cb9e4415e166b905630e472583ef3cbe855cbb
SHA512 946bb057650d9f23d100b24e7719383d6469825b4bc543e6babd93748df981513fb7df37d33711ef6585df40e0c569853d369bf3a0977d946f76467f3f6d4ea4

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\libEGL.dll

MD5 e79403e425c0e04de8570e75a9013196
SHA1 066581f9eff898dfd08f47fca08bf887b351529d
SHA256 87d9551ae7ffa3b6d40673bbf98ac5c99bfe04c7a85282ae9cc546c8d01687d1
SHA512 82ff0272f8ef410d5abefed473968b5b3bde02304950299f8ca076a09ed4a490db7384ecd9f72c41de7d30f0b7c9638c5d140242d0f1a883a0e722946dbefb8f

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\libGLESv2.dll

MD5 6a1fdd94b7a1f4f58ed70830b16d5620
SHA1 5ef29f48c048362c6094b918f7379b62bced05da
SHA256 4b3eb64f741fe264baa060514c5136cd980f5e8d317c25c005abda7df471b8f7
SHA512 30f020cf40ae8a8ac34cf847b1a7a3359da68f379c7b78979597ab548bd74437c6e9e84d7f6576e7918083281e23a10652febae0fd93270210ad31f0644c2cfe

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\LICENSES.chromium.html

MD5 1ca87d8ee3ce9e9682547c4d9c9cb581
SHA1 d25b5b82c0b225719cc4ee318f776169b7f9af7a
SHA256 000ae5775ffa701d57afe7ac3831b76799e8250a2d0c328d1785cba935aab38d
SHA512 ec07b958b4122f0776a6bded741df43f87ba0503b6a3b9cc9cbe6188756dcde740122314e0578175123aaa61381809b382e7e676815c20c3e671a098f0f39810

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\snapshot_blob.bin

MD5 d20922aefcad14dc658a3c6fd5ff6529
SHA1 75ce20814bdbe71cfa6fab03556c1711e78ca706
SHA256 b6bea91727efb8c88e7c059856553d3a47abd883e60dd60efc01b04dc6eec621
SHA512 dbd63a9f01feb3c389c11b55d720b5d689558626041fb1dd27ded2be602e5e2a8d210f785fde025d7b9959f81de3df7fef06981269b58be564df05aec190dd1c

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources.pak

MD5 ec486bb08ef8ccd459ed0991177b327e
SHA1 2ad4598a1fb4df722623ebccf488f59276c008c2
SHA256 50532d1ea84ca3b84ece09884d25e4b0e60ad6061ce4b28fdfdb1f7ff2d26d6f
SHA512 4358edc81aef7b51bc1462dc7e96eff8358c788e3c1044c4697dd9d9ce03fc44be22743d4d104ed7afbf1b36246c171e754288c873c6590513bc99632a78fd68

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\v8_context_snapshot.bin

MD5 1e4da0bc6404552f9a80ccde89fdef2b
SHA1 838481b9e4f1d694c948c0082e9697a5ed443ee2
SHA256 2db4a98abe705ef9bc18e69d17f91bc3f4c0f5703f9f57b41acb877100718918
SHA512 054917652829af01977e278cd0201c715b3a1280d7e43035507e4fa61c1c00c4cd7ed521c762aebd2ea2388d33c3d4d4b16cee5072d41e960021b6f38745a417

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\vulkan-1.dll

MD5 71f64fd0b1a6e757c900e29573130b46
SHA1 48e7e7c96f67590a3bdafac77b94ffb688c67eff
SHA256 5e10d5cb210911799f27af726987d3d0377d8260df124a731fafa177caa14d78
SHA512 9e35cba89ead9ee4e72788ffa7bb981602ab042004ab04345bbb4b5017f8868a5dab38094a3ef591e9b6cae67b7b4ec2957fe5c0037968ab97946059af87c95d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\vk_swiftshader.dll

MD5 235183f894bd8ce5c9e922035a0f87a2
SHA1 53e01b9de0b631ddbc835774d9a0fc1ba3891cc8
SHA256 00e0e23fd03d235bcf4c53adcfc07badf0b87dd6d3249535c5c2b45ba38dd566
SHA512 13a3bfca54ff8e6c3d1225786b94c71e8d91e5ec5b26f92db18be8675d891421606bbb8dd3759b5b2ff0e95a28812902432cf0093f5dc810905342c5dbc0996a

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ar.pak

MD5 2b2dfafb0d258c1d2b58e51ae1ee9ab5
SHA1 2a538491ff4023d29bdf2a053447c6016138d9f2
SHA256 ea49bc2ceb6b185030eaa0ee0155feca90e632390417299113b02fbe365ff731
SHA512 6b629ed83edfea1b1ff3c379009332e413c420de651a24160fae859e1e0948fbebab99c9da714df6dfad3b9e472dece7bee95815ceca428183f4ac0bd6d42ff3

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\am.pak

MD5 4eaa15771058480f5c574730c6bf4090
SHA1 2b0322aae5a0927935062ea89bd8bd129fa77961
SHA256 b05dcb8136751aee5eced680a5bad935e386bfce657dd283d3ec00ee722fd740
SHA512 b67e7dd24eadc91d4cd920f8864cfb23a9c67b2cecd54ec97e01705636604ce504dc417d6af1c53f374b58eddf71a12bb82248bd8fd68307161d4833342681a9

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\af.pak

MD5 862a2262d0e36414abbae1d9df0c7335
SHA1 605438a96645b9771a6550a649cddbb216a3a5b1
SHA256 57670eae6d1871e648ad6148125ee82d08575bec5b323459fc14c3831570774a
SHA512 a789a4cad72106a5c64d27709b129c4ae6284076f147b7c3fcb808b557a3468b4efe3ede28033f981335d5eab986532c0497ddd6ed24b76189fe49366692ee73

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ca.pak

MD5 d193a3ac614f64f4754c9df5cf00e880
SHA1 0da0f7c1a4048074f6fe9d70704aa93ff75e42f9
SHA256 4ecfa3785ab52564e0bd7dda04d59a30163561588a04f3bd1b1b71de051d2c53
SHA512 e85d18951f9a1a86514d577f9b19a4b3727523c15b4ccdd17217f6fdf69a0e774a36874108a05de1be3dcee1720b0cb19eced2d3283f57f41f5f9c5e233e1c68

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\bn.pak

MD5 c8173f0cc63ca9e02c07abec94892b53
SHA1 2688b199cc40bb2082247fa451eac1304608e48b
SHA256 e6adcfb4f3b3bccd4a27edadc168b503c36551cd6b27fb24043efeb21f691ce5
SHA512 3d2317430722dc15c5d938fa55235af1caa03dcff7a574b44d37d89e7cf2c94dd2e84518b3eeca4a5a8dbec1b99d94aed97429aaf55c63998002d50ce9cb5019

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\bg.pak

MD5 0e8005b17ac49f50fb60f116f822840d
SHA1 f2486da277de22e5741356f8e73e60b7a7492510
SHA256 50e4f6b9c387adf4baba3377c61d99326cc3987928d8d60b88d1ac29352820ea
SHA512 5df18bbeabd56e70d4c5a80dee5b7ce48259000665941634937e556e3b3a1c6403aa45c410f6f755607549c9dd35d722987b447c50efca51228ffeca4628756d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\da.pak

MD5 0e4207e2cf5741a8968617df9174a681
SHA1 bf9b7558141ad30bbc921992e48d48cd6d6ab475
SHA256 438d2b1fd396c2108ca3902f69eeb372219edd5d95fe70970d8ee9e64556c9a4
SHA512 4ed8368013912c408f7e5f7b4f6f1748834e5506307b92f4b669c557efd27363a55b4e2918eb7707e798878c9492b765f24ab9c90e843f54e8641c4646bc72da

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\cs.pak

MD5 70f320d38d249b48091786bd81343afc
SHA1 367decdcdad33369250af741b45bdc2ca3b41ab3
SHA256 1c9448ea3aefce1a7e1491e73af91af772d8b22d538676a2beab690558e668fa
SHA512 02b08ed9261fd021e367995551defaf4b4f54c357409a362f4d2470423644913375cac444f62153ec2963a84880a30a36f827dbfacdd76a6222838c276cf5082

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\fil.pak

MD5 cbb431da002cc8b3be6e9fe546cd9543
SHA1 19fbf2715098fc9f8faba1ac3b805e6680bbcca4
SHA256 ab107369d45e105a4cb4f2f6bc8da2a8c1b6c65d5e94a7ab3e703e619c083dae
SHA512 3cabbfd021e5814587dad266c4f5c9f624e9d9278f22658dafd65ff2ad2bdc5f6df8a8672614b296cea826819211e12f8e77f183007c0a79075e2f0980b99911

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\fr.pak

MD5 59e1e573153a209c56ae3bcb390b898f
SHA1 45f8a5469651c032c453b14bd68c85cdd6c75fc2
SHA256 976622fb851378f57f81423e5625e40d0753d7a5e34caed2c39e4b130a3427b8
SHA512 91f1b88ffb9f3362fbab7d607a68c4ca65e6b89fef7de0c986067ef7fd013c0ce35bce328ff3546cb7aafc296993e46a908ac506bb6a141088cfbc5ead948ba4

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\fi.pak

MD5 a9fc339d49ea069bd81380ae1fa0ef11
SHA1 5f376072f38e94e252d72c5660d8120a41d73469
SHA256 e6454458dfbe150112c37f8b02f8c72c593af22e8be16980ebc854ad113fb763
SHA512 3bee6723485a9eae4aa9bfd4e7fb490ce7a0aa12cbe41443b8bd28a26fe552cd31f4a1487bd98c6bc7774df1ea16b1de94ed0f52af59baf9e17b3db815404c4d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\fa.pak

MD5 e2bee9eeeac231de237100fae0aa77c7
SHA1 5e5eeb59656e2f8f4f62bc618966d38cc06a385b
SHA256 7a856070430e3cfad15b96b153b1cb483cca9a1b9a43453df3707b09c748a3f2
SHA512 5593c4a48e679f0f6283c3bca69838f581b6f928cc7170737778458393b6b85fab0e6ca390bc5da840f4b79de9e638015bf341c1a95e8f99770886f5354ecff6

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\et.pak

MD5 e7ea23d6304d5d600d884f4e3b3cb2d7
SHA1 99fbef7eb1bde7df398cce9faf6c7c357769334a
SHA256 292eb18ec61502b0e952b447f73a66143c56dd95f170981945e5aab53a6b32b3
SHA512 23dfa1161d11faf440241b1f48f2ddbc8ec086a8e18da351734656551f0f54fe4c94b490c0d3ecc378a3de7f7713a1626a7a6c21da2500b9597b44fd08197d50

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\es.pak

MD5 d584992a0670c5771147c01266d17362
SHA1 d6e70e43585564d520e4b1777fac0b1e7bc6ed37
SHA256 f6a01c26bc18dcf701e1d4b6ff76602f14c4bb9adf9dd176c9107d5aedb4503f
SHA512 39db436a05955a3ad3b54ace4f2f0e8a313797d3ae8eda9cf1cab6f2ea1edba0a82c30f3b589b8c5399ed06e9fcf4ce9059d3d5a07472f05ab1f0819e42d5b73

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\lt.pak

MD5 edb2c872a4fec5367cbe68035ef0ecc7
SHA1 b4d42bcc83c98dda1ea2ef962d097f6fb3d25c71
SHA256 1bd385b780f3d13d41f8cf782a322e37be889aee273ffde3d8959e0ebcaabd0b
SHA512 dd801a1aac2242e3f532e968b4c9639a2c8bf3eccc17470d9aa8bd6730ae4be3e7276fb782c7908bb6f87d3ade20a40c644b9db5d2201d96d91fd95ebdf429c9

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ko.pak

MD5 cd2310448ba6689cc73d0b2e6dd2791f
SHA1 7827179d3fb98a5abc2ad38e20d942b83b397235
SHA256 cba6b7633cce796407821264e176a6266f80c1799ade16bf16893d68144236c6
SHA512 c3069bab640ae43856330bb8b3a0e0a4ca058a68a0fc03b8efc0ce1dc2b517f11380fbc641221e29b4a527d685ece72107fb83cdb9b539390eaf6a30c21bf36d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\kn.pak

MD5 59e6642f09ce97cfa4a4173413a1b036
SHA1 777a96a4aefbe138f26c8697e66633452285eb2c
SHA256 58d16195170f76e40e18ee0ac2e10e1b73bcfd083821158927a7d67a51bcbc42
SHA512 66deb67a4ce1914f5f27bb6423e5be62e05d0a36320accbe653572a437ce033ed5d26858a62d8c57476b34e1718d580f34ab44a3886d8d22d17f642d70f0138e

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ja.pak

MD5 dfd5ab27c326a1e1f87943a3079a2af2
SHA1 3aaa73a6668e1249e4d51c8fa8e0c6868fde9da6
SHA256 8260f4c9500b64d541386a8515fd0c9ddef82e3f044951b7b51a33ad81c1128f
SHA512 d701674fb6e19bcdf297b19a9fe3b81c7f446019a8c2fd3e90e19294765b1e8ad4f0e40e4bac65b2db313a4f83eb050b5871ee4d74f9ea372208b7abd76c524f

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\it.pak

MD5 e0e5580e8882f0eae4b5b21e6c7828d4
SHA1 51e32e51458b5839112ed9dcaf500403c45ac1cd
SHA256 a7f555e7e797e1de1a66cfca8c7b709b0e542ca62e7de96e034701fcef316d0c
SHA512 1a2a4948a5538158e6dab7ca7b3b780ec7a66a0aadb889fd451e07b32336ea08b88b5d57759e335fa967f3b4bb1282e952b97e496d798758159c70eed2e5acb2

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\id.pak

MD5 6a406a9adb5c25e35c6838828ef30c17
SHA1 2a1ea1dcb75217ace04254644845cd038df6a980
SHA256 af63384cf7d1d39e57decd823dff7538ab2b1e7e36e9ac61238477f7889d1d46
SHA512 ac7afa288b768a730027db0780b0f7c9f42ef990e4e22751ef1dc85e4841579a6e252293fb04d61b0cb591ccaa5c74d37bbd380afa15308c80ea32070019a361

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\hu.pak

MD5 0b62fc2b60b8a92dc506550339766139
SHA1 abf0b1ae99ae40d87f86ee04bdba467674fc1039
SHA256 6ca150d0fc35492bafb411bbc520f3b34da6399969fa9685ae74201623882560
SHA512 aab6058e2f41282ac5a9394cdcd503efdeb6b9eb8b9a64cc1215e31a806e60a34966b6823f91a97bfb81656d91ccfef3a226165811e6f4208fa436e1d04c1242

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\hr.pak

MD5 d80178f9df2b72a24a7dc58b5aa13229
SHA1 cda864bbfc6935cb4e3e30a6eaeabbab5264d01d
SHA256 e442d083c32d752d1ef2225d84a4f1a91efab768e86fc63a7ed22c10fbf7e520
SHA512 c08380fc0c415a529a035e6e9c0eebc719766c656a3d9e3a782f21b4fef320688e1d11de8c3a5d0e59a102c9fbadcc960478a17c534500e137f4cb0e697ec9b9

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\hi.pak

MD5 18bdd1d8d1d5c6a5fb2678abaa1ef6a9
SHA1 e40602e86e758a518ec70bb6a9cfa23107955301
SHA256 1f49622ec6682c90e03fc42c319074565cf9d3532a2a4e3798e2f6cc159b2e8a
SHA512 c859118e7c1be0642ba9bb1112a98a8fa7114a00711f578971a55aab7254b1ee9bb3899c852b79a002596f29e02f487267aca7033e38cbfd14c90b2989b9595e

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\he.pak

MD5 ec16b50e6575cd6863df282847cac3b0
SHA1 a59e089951c3a5dcfac165774c68651055b829e0
SHA256 c3955c97b6998f1806f8871fd3137f6f504bdd091f8bd1ff5ab8cd089474ae8e
SHA512 3c640430e3391be156aab26f6057e966348dff50ea946a02db947e2316d3a915c29f329faa26725a90af4d06ead7c7fc28cfa7573033b2b9546fd8e4d2bb7ab1

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\gu.pak

MD5 a9e6d8e291ffec28551fccf4d1b06896
SHA1 adc9784433fbf2ee89bcfe05baea21beb1820570
SHA256 716ea0433e19edb5113dc8a25ae67c2587bc17c7fb63a93ac473bdcef8f72d34
SHA512 3a60002dc6a9008cac78bbc050fc36d1053bfbd21ecf4d0579b2780985d4e7a7aec94483d8b0b8dd7a899b8435d54a27bba68917a23945431183eda021722697

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\es-419.pak

MD5 088de6d12071ea5cf8d4a618ed45e7d5
SHA1 f12a76d18b84b17906f5f8cfc78cbb370b026b09
SHA256 d1019c780e836e0c30fe01928d23ecdd0ca04ed8ee886adb3428e3683e4ed6ea
SHA512 8da7326cf99cce53d7ccbec0c177ff9cf6dc0009431d6c89b3e8f0475bbcd0dac4c888460b535c1070ced62f1bf1c614bb0fbe9c5583e66c42f30d6e025ed7d6

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\en-US.pak

MD5 809b600d2ee9e32b0b9b586a74683e39
SHA1 99d670c66d1f4d17a636f6d4edc54ad82f551e53
SHA256 0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb
SHA512 9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\en-GB.pak

MD5 a1aa885be976f3c27a413389ea88f05f
SHA1 4c7940540d81bee00e68883f0e141c1473020297
SHA256 4e4d71f24f5eea6892b961fcda014fc74914c1340366f9c62f0535e9b94ae846
SHA512 8b6d67e09fbe7a2152a71532a82c1e301d56cdde34b83a9f17d9f471e258b255d5b2d4a0c39f38581da3a31cec24fb403156a8e493560d7206e1ec3db7e68b72

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\el.pak

MD5 16bcd10bc81dd8a5b3ad76c90cfb9614
SHA1 240395860971fb9205d28602d4d4995007ee5c75
SHA256 6a06d1d6b566214f7c3b693052beec488f7aae5ceeca26781a5d66fade39388b
SHA512 353a26b21848f4dd30b3aa1f4196b23571e177893ec6912db4570493664ed987e688fd66c04e509ecc58233476ebe59453260bc3569136f275fcd681ae54a174

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\de.pak

MD5 141045fc1f94f93e82db06db4f7321c8
SHA1 d63d226c531a710359cb65f4e6aa190f593b4d54
SHA256 47253e2fcf0e4691f29b3ebbe8f888a97b28d6aeaf73ab000857a6b8d0907ff3
SHA512 85c27fdc9a2cb9310bfbb05d0bcd668eb2156a37765d8fb59496739f6f1eae12afcbaadf5eea8f2db2ad8c8a0602f83500bff9cb71a429174a80bee16ec10118

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\th.pak

MD5 a4d1594635d26330ace7054bc025b76d
SHA1 bc4874a6a3b1d1886f05858ef2f653ab3520451c
SHA256 f06a45f0395c3e42e42c46de2c19a2a104661b47be6f9ee97f8c68b05706ef1e
SHA512 731485b139ba0ed80dac5e582ec36f53a805a867ad33551741b805e851a9d2356fb1894232395d4fdb200defc988bcf6d51e58834b542c398c1012e389953a3d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\te.pak

MD5 d262c33a8c2b4949dff36cc1980e5f05
SHA1 e1ad725c388c4a1a386b4ab6170601863c943c29
SHA256 09ab1ac2b69f868539d4f2e59dfea8c3c2f418a5455777e4c91d13c5ee55ab4c
SHA512 0202f6ac32878926422d542ea96b0bcf8b168f8ec6b928121c368711856fd5f4781a24b15851cdb5892246b355d0dd37504d4599b24e9fe8a723b8dfbfeed29b

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ta.pak

MD5 d50aa6815b63aff8c443622cb8bfd849
SHA1 fd247855e6e428109e7bf2e0018580cc6e0663c8
SHA256 6348cc2d385b9808fdf1b815914dbfb26f552da4d10f85b2613a5e6e9f95b8fa
SHA512 620e2f9ab9998c68d667e32ad9bbfa2569f7a60fbc2a67d7492c6c215af2a1037708e38b4ed7932074d29a140581fe0ffedddb362133a941966044b98eaa50db

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\sw.pak

MD5 9808a9df2da0844b1ce1a2a4213c48d0
SHA1 541f24f006ddb3361ff1e5015f097ab799120fc4
SHA256 1949953d638f266ce74d84c020174c074780166b880e7c2ec38bc6047bbb8ecc
SHA512 66b256e02ce11ea0273cc5bfa78e56faf8b250208d1e868bf4af77cbefd1c891708573d63873a5d02436f884544a6550176afcd3a8220cd35d64b88987e94404

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\sv.pak

MD5 a813b566c9e630910e6ca946defb7202
SHA1 2e25d2479715a572c096ce19b8dfd7a6da5339eb
SHA256 48a71912e4843b03358fede7176b2e57ced83d3a1344a92b989886374dbded62
SHA512 b348404135e147cef93c246c826107f9df170b294e9d0cbf576d2812d0ff3d2b7794ab5aba55cf729fcf7135a495d2ff591db62fa61e2998290ff02538a0e48c

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\sr.pak

MD5 5d70a218b7dcccab0406fa9239ef800b
SHA1 cd231758f84a0d56545d0a234a58757a18a58d0c
SHA256 a2bc6b064ff1f7b15707f61bd76ddd9d889bd982c4182e9e74272d39c6235c85
SHA512 ef6f71e0d9782b5ed6706d9226c1a7fb5a4323b8dc8de25737c7dcca87d04c16b545372127670de312079be993823f565de1aaaf5ad833bec5baa0856c19b0f3

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\sl.pak

MD5 ff14d5f9484350396780bea7f3bc64ec
SHA1 de097f12b70b552824de69141d6ee1969275eca4
SHA256 b174c4c49654f7d65d223568c700bfaace74238447ae63171787236ce2aab00e
SHA512 011bcc3980d21e0900d1da334a28b72623b22b527a4fc3d96a8f78fb055dc87cd1433a63d8b4414a0a86cf2ded5833a395214910b17433a0545e04d1ce4875b8

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\sk.pak

MD5 fd001b1b02597bbf16baf3f0baf3c6e4
SHA1 e4c703fc115e02833fe08caab1e62775b5812473
SHA256 f9cd222838721a618c23c8f6493bc9699c795c0063998f1a8d506b4b7a297cdc
SHA512 0ee991da6b8ba1bcc3cc27abc645af43bb93edddbf182496aafeeb401d71ae10716335ee0197f1987c21b3abb441aaac968b9a76e75ae77fcba4cc48847f5b1d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ru.pak

MD5 9ef6fd52dec5613f9e80204a84c7f2ba
SHA1 fbb8c9db815126fca3c62c810432a71b6965f2aa
SHA256 d0068b9ddf8a9e6a5b1186bd0e00ed9f09224ed56ba7e653e2d54158d938c6f2
SHA512 0fb442ef86f75ca2cf58a677bd25ffb7c420f98250fac7f5f25e2272d4e7dc505a5f3eb3665b62bec189496154b05a1462b6f17a0e9aeafc1517b71e2d813953

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ro.pak

MD5 938e62fca60d7b54e9c54cdd1f745f06
SHA1 5a61a1ef3ae855ff436c5d7f45b6ec271a5228aa
SHA256 82e69f505222125ea62f8e90d8030d82a1bd49871192cb4274a8fd9d0e03d577
SHA512 d3f43881fc951c961cfb34babaa6eba2aa9175865dc07542dc529ab1c11d15703c03a7e8193c004b004d13f0a0672bccb2fcdd1cd88f32add159c337281d6d5f

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\pt-PT.pak

MD5 4816d83e54beaa2f94c671d56361c04e
SHA1 5cae66c0b7079d778ac87ad48777afd85b172d2f
SHA256 a903ca2a8e52f987e23d040de7403b58d925a6c39668d3bc0822fb2aadd34cb1
SHA512 0d3a39e1205ce9366818cb51d38db035b80448dc1e2d2d6bbd7d5df693641582043b45b4a78bbf2334159616187dc85a51e623bb6878b1498d9bc7acd2a6ffab

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\pt-BR.pak

MD5 8dabbceb430a6bc190ee344541fa8e2b
SHA1 44c7da04bac8c9ee67c8d6a0eeb491cf7ffd2479
SHA256 6d54f87f6c8b5e01bd0da9a961236344e95e85c3dc55fc92a34542777d6f6275
SHA512 4d36d527f1769501d1fce208738028d5ba142716a6243798212d5a2403dc5c950dcb3399e571cf3a11b1f35d845a6ba6798c38074d0ed66c894b1c18ab800159

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\pl.pak

MD5 7b5d41611b92b24ec8b36b66feb11f9a
SHA1 3d6c36f404c29d59a24970585931860453f5c88a
SHA256 69e16e41f5fe7fa18557b938874f20cda6879f3cc616ead9a815c1381fe94158
SHA512 16ba52cc799132e4525d220ed595d3969d4cecf163ccea6b62fe2211003b0cc44090c4d384e9cc4e32800181b7f7e0810da5a0d2c908f4625ff8382cfa3c177e

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\nl.pak

MD5 b525894276852be4ab42ab7044fa164f
SHA1 d3d035522265718def8125f5c4a1d3e74832dc2a
SHA256 c7a18764ca908ec7f66c48cae2be06fef95213d7a5580b45f9bacee474456167
SHA512 36b11f1df92df27b007fd640b589c6b7b30cd889bc297635bdaa40bfcb4332ff20911edfd23ce74c1c8963dd658f77bf4b9af50d3c281717f58eb23a598783bc

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\nb.pak

MD5 bf9bfdfab1479bb52254329d7aa229ff
SHA1 cd9ff35321731b839ea6e5f31f5de0bfb475666b
SHA256 96747543d9b2dbfb4482d4c24d7818d366545b2476633ad4fec8cc958ab760d3
SHA512 ba8e62d0a87c532ff46f2129724dd2f1bfdebd99c2606e0b9608cd07841776faeca15d04ec6241020c232d4c07809d718f40cf4ad9231d6a8996d55973486629

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ms.pak

MD5 d22cfc1b78320157685839f14253fa1d
SHA1 0cfcb5c176d708e26bbca2427be611ce6609eb93
SHA256 c7b56e9ca2f75b4414c13144ff4deee1459c2a7cde79730d863ab234cd4c2f8b
SHA512 2eed40c50a63e362dfe2f172d16e4545f5b19c673e71db674bb004e4e6a4cf793ed4a44ee80d86b05aaa6cc4356c207476afdedc2b35017421ea9b9fa6ebc81d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\mr.pak

MD5 f26bc5673e02a93212220d71cf1bbac2
SHA1 8d0ab40fc2b35b75f99538951acfbf6a348c73a3
SHA256 0877f2e75e0b9f5e709f0a0bf7cc793a02ff5bbb28bd6a8b6b6012760c1bbff3
SHA512 9f3a629dfa116cd92892d120f0fdecc5f57043dad232311bdc8c218ae9317f49e655b8b8dc8399639231f2321013190a667d22b6b2735bbcbc375c438dce9aaf

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ml.pak

MD5 b690b0f01954735e1bcea9c2fb2ac4e4
SHA1 8d98860e202b15a712822322058e80a06c471bb8
SHA256 83d187cd70048f4129fa65ba148c74a04a47ee1f14218e7c85b36fe83e87b5e3
SHA512 786f08019a0917d0b3f29aa2d1885db6a6f995990fd8faaf41a9630f8347b4d210a844cc6690a41b4af37d60e11f41fd2675df1a01bab5915e20cd9bc69b4541

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\lv.pak

MD5 393c296fabe0c4c64a7d6b576d7d2cf7
SHA1 16c0605e5829cde9738e1cd3344a59b74fa1f819
SHA256 91642c04de64f88a5c49b4eeaf5d627554e60d56fc40e7cd58cd2601b0d3dbf2
SHA512 067cccb059d4526c104880a26ebf04c7e2498c49c5641abdc91785e859bc0be1475ec58cae9ad1eb076f26fb9215ac246155e123baa13c06a05e4f22a002c2ad

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\zh-TW.pak

MD5 1eb532e97b84db33a50055bbd7d36200
SHA1 7aaf0560a16a9754059871a000d237964f3ab0c8
SHA256 6a43c8fac5a0ce7c7a21b30ac7bc2167488e17c81c76c00f0b92b49e9e46e469
SHA512 c946d82bd6ced6e61b35acaf7ace1a61f226c4891caaeeeec9ce4a3ab45e6f43c35dbb388d6d5fa925ed020d7d10f951fa2048269d0585ad3b723f5ad8f4eabc

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\zh-CN.pak

MD5 d1145f2dcb13c5ba797df5a0792553c8
SHA1 e8d9604300d6413fc896d252a0261be2dfdebfbd
SHA256 6a9a1f5b7674da36f20cb76af7e3e75e9e56873539e8a3b32895ebba439af83a
SHA512 f54adffc7d40866fd53dbb238687116d46354f79580877b5d4d93840494e604deaeaeb7e825f6a00d020f3c58d1fb9df8af667feb64c86f243ecab57765623e9

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\vi.pak

MD5 e088be14dded779f50feabc4906d5ae7
SHA1 0eeca2c7ea82a03b6373c84adf1a890f29e18b05
SHA256 25aeee59775ae38b21a091107022312fc228f96dbea906042bf3626b7cf86b98
SHA512 af9d1e415a6d06c28df9abaae1f337bf4dd3e323dfd5560df5fb35d01c6801b9145072ee85ab4c524c489fb6cdea956ce327b8c4f6820197d76fc2f33171ca3d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\app-update.yml

MD5 8858558e639001c30aee3d914d2cbbb2
SHA1 33be51c036e5e1dd2891b6fdef4004cc3d429c73
SHA256 5104dfba2ff97280f975d131ee2b0007d13225b95aa95249ac4df3127e8158ba
SHA512 4a89f4c4d000e28cf31aca5423590f74acd6a9992085a8753df47337ad2dceedc1431962c811b6a1753a803301b7aea46210ab4cffc0caaa58dd497c7f38984d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\ur.pak

MD5 29403f3d5c8f6ae2a768de2fbe8b368e
SHA1 da83015565980ea1a24f5493be6311f06427269e
SHA256 2520ba8471c840aa075075524c4ad2bde10f43fa7a1b623aa14555180ecd30ef
SHA512 a0709280adec39633ca19daf9f8bac6c17a999101246778a63cd9e172dbea2f281b20ce197290c4af6c7601ee7956da42f17e31461a1bd8b8a4bce3c36dc87b7

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\app.asar

MD5 811f444a43fd2238857fcaea23518966
SHA1 d2176b3ea4fd6f2ad3ea976a3b2a75a9b5bbc91f
SHA256 6b18eeed01662213559659962b65d71c77996aba71e78316ede5e8e312f6e2b1
SHA512 c649acd8cd005d49f8bd097db9ab963d81a03335174bf106260ac51278c7777f815370f253b14eecfbad1e2ad9a940d87bea2cdb12d00e59df0767e6f1f6b817

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\uk.pak

MD5 83e5f0092b6d72403b60fe0e1e228331
SHA1 989ed480b7ef55dfc9ccfbef1a5b9b0e104693d8
SHA256 29d68d90512ee9952635c7e074d5ab210531d93ae24c11a8f91bca20b685e9a2
SHA512 9895928ee516db7d4395b2788135a814031b9ba45e3a837e633bc253b08d6f380e4078d4d3fd51ae37502a39ff45a0166969fb62365e890f4960a51040b20941

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\locales\tr.pak

MD5 193f0c0a8218f05657e2590ea4ee6004
SHA1 dd3ffd7f67f72de879903a231271c20aee56f695
SHA256 676d46d19d1673eeff4f5e908aec3b53a6273c440e69e7d655ced6c70531cb9a
SHA512 28606d710d44c9a82c2849fa5ef989bac1afab53cdea99a825f80aa41dbd38a9ad6f0f44935f45439922ca2bdddc89c61f8ffcb999aa13fa45558551d5216e1d

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\elevate.exe

MD5 d5113308747f39bed0aa55c99f6a3885
SHA1 0f4ce4fd415240373f3ac1f6d5fdb1579b181812
SHA256 109f1bebb056b569f521a5c7cc76282b1e5933c91a6dbd7242c661e486c394d4
SHA512 33cac50d5b6bbe1a262832816a9f062e8a4b5d2fa9d92fb98f940f06ea8ef3fb373796b366310dc760ea51e454954d09e9dc9538341e4437f65b65caae68a130

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\native-messaging.bat

MD5 325b95d51921c4cbf57436cd85b8b9d0
SHA1 0e0e6ef742d5bf17fc513c4592d9efdebcf40b78
SHA256 52930e572fd6c0cda151f360dd1a83580f910eda23f5fceb400227785c55aa93
SHA512 f3e3154d11beb7e4400815f20427a572ac33b28a3a395273361259d659bbbfadc596fe9e8d343d9c2c25004fbe4781d6ccd63984e2eeb275d0a54a3840e24bc2

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\app.asar.unpacked\node_modules\@bitwarden\desktop-native\desktop_native.win32-x64-msvc.node

MD5 9536a5cf74d052c33669fd8b45230cb8
SHA1 a6cff496275c4a0838a11a5413b8bc67850b9af6
SHA256 26c9676ba3f16568b170599024eee9907df0f6f83069b190cee2d186039af962
SHA512 32f920a76ea3cd469fa7e9ae36a249f1e6b241fa2b8d198e4fb581700ffd23ea07ca2670709020e2751edbf652eb92b6a3b4a4712fc26540b260a28a8d7f5a19

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\app.asar.unpacked\node_modules\argon2\lib\binding\napi-v3\argon2.node

MD5 1ecbb5d0967915877f1c41c99309abe5
SHA1 00f906a0566593f9da76066092b8d691812b196e
SHA256 fa6165d6c7f9db653d0cc370e1e5f03f716b38708a3cfb8c8d92deedf7d8eed2
SHA512 9b348f0fb649d6a1e6f544418e16e9eafa92f7b52d734fe08c26bdb68045c84135f20b8601186df77bf4775b95d72f3c51dde9bcc5a8d908fb4d3e027922e474

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\JsonSafeTest.wsf

MD5 b2f8fff6092358229a94cc309ab6c11b
SHA1 e4c29b96408d58d9196ad971cabc50d05bc94c4c
SHA256 c2fab2eb9137feb5ce29833d58690a0735703a0bd2f38538061758b47a44105f
SHA512 a1dae465d9b9ba874d1497485e08d83471d3b97cf1143dcee6cbc24c0121bb6f1fbbb8aff66239aae46ac0b8451fafb1cf7e7a989493b9f91423dd76756aad7f

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\regCreateKey.wsf

MD5 04e6d736dda6eec814e5bff7121a695c
SHA1 bcd113f9b374f977a81e52f1be21c35e9c815c74
SHA256 44201185e05845fef8b56ba9cea0194edffd89d0465b86e055292f84f19526c0
SHA512 6db255f72129f080dd259a3e7603cd1c21702a8810454c7935affe9a9f443a221a614a39cbfecfde1b2e13523992bbc8c222a0d763c018bc4ea10fda0cbfb468

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\ArchitectureSpecificRegistry.vbs

MD5 ee5af2ed3dd0d9efbcd172026bdd7260
SHA1 fceb14612cd086a3e285b5e137b0652e8603b354
SHA256 6786fe4e7f09d2266678e2beaec09c5bc7fea8bbb2c34033f37a2a4f3779efc9
SHA512 b166e68fd6d17d8029b8a2cb3b0ed14ce71b3c607d5182f10e05c7f4d8ecf76300034835670031e283f54fa3fb5dbc165e1ad9a4120140c3fef98a34d834250e

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs

MD5 310a042dca2144c9cda556e9bc4b0c02
SHA1 d2032af7eea0dbd027a36e577567e85486496949
SHA256 caa82e59ca92629057791cb1e0ba0b74c90f561fac81b029033fc081a83431b0
SHA512 843d9f6f300caba8df41511473c43f4d5029fa0012e593677c83f196c8d595194d1409069fb4b8616e0118f37ba943bbe656b29de40f0ad70997ab610fd98db8

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\regDeleteKey.wsf

MD5 82bd86d76a25e9d3bc5e7ffb15311b16
SHA1 f749b997b38de6df0f06380049e0cc370bd633cc
SHA256 3db8ee7f2056d79a97fafdcc7369867e7b49ecaa58b7c6ad442be858e1dcc6c2
SHA512 eb1876453aeea894e0c99314f20d54883e45aa29a9305e3a1cfc55187bf9a4abf299d955a7ee8f53f6480a10cdc803e3464759e01b330f93264892fc999823bb

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\regListStream.wsf

MD5 ee5a8ddc32d31c4088ea5e15a5076d6a
SHA1 0c8667d5899b7924994d39c8b887a2ebc9b50a79
SHA256 d482b452af9da79c27db2341891841ec4cfc1d18d5685778ddda97f082f313ec
SHA512 b4ead3a4cf5aad1a88f9d24e5dd9a7418511441a3ad23634102cb8eb7871b10c2720368f6912478f6dc1c627fc051fb2c81b9b4c0f54a5d50301eb324b437c99

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\util.vbs

MD5 e2be267c02d51df566fa726fc8aa075a
SHA1 c9b9ae17f36e23d5d3cbbf2d6f17a954bfa87d24
SHA256 b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c
SHA512 b6f80622a9f61f636f7786d91a1b9e06a64602f0898425e90a1a696d0a4855c8c08cbd6e6b98b9a3a1a24de354b26260247953b5273f7d57ea87294b4b142e8a

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\regUtil.vbs

MD5 77e85aa761f75466e78ce420fdf67a31
SHA1 4470bd4d215d7682828cbc5f7f64993c078b2caa
SHA256 350dea3d6c8e65372f8d12a5fd92a3a46a7519610c69564e8185a2ed66b00d59
SHA512 50af664777545ced78c34a6ea35dae542fdb85b8b307a4a4a95db25a808a695d3fe8840edb36325279c2381fbae071f6b509f7491185cef2f42afcb7672cfd13

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\regPutValue.wsf

MD5 41e0ad02b82c3dc024b68d95c98ea10d
SHA1 956116c92c52aea91cfcab3ce331f9ec27f27f7c
SHA256 f25a275cc00918ab1633f9026e66ff194a43d843d799f3edf52d527f7d3209d8
SHA512 8bac8bb56e8825f31f774977a2bcce769196dca8093c43a11737b581786d57f4808d3fe97262e062aaf41594c46a320f1065e5726374b66f2fa577cde8f07f5f

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\7z-out\resources\regedit\vbs\regList.wsf

MD5 cae7db4194de43346121a463596e4f4f
SHA1 f72843fa7e2a8d75616787b49f77b4380367ff26
SHA256 b65c5af7dbeb43c62f6a5528af6db3cb1ca2a71735a8e7a1451796f834e355c2
SHA512 ccee660cc4878301c743d3ebde4557dc180d8b6f77c97de5e36c95f6e4d2446ef7be28ebc787fdea2f2d817890ac7bdb713196c755a51677dc127cce77670026

C:\Users\Admin\AppData\Local\Temp\nss65EF.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\data.json

MD5 ab9b0d1320e17dd4027d9fd3f78cd904
SHA1 ab1850b155169a13e1dc1d9a01661d8340e7bc2a
SHA256 9f8b84abdcb60f4e353c1656a04f734e991c9427399784992cb80c5493311756
SHA512 c0353fb310099a832f0bc566cbb6d8d1a8b44b8b73c135e41fbd15d7448d16423e771877ba67b1af97e6e7cd2ebe0682086b4e0931fd0e249d405ae7e3876728

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\Partitions\bitwarden\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\Shared Dictionary\cache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

memory/4708-982-0x00007FFFB64A0000-0x00007FFFB64A1000-memory.dmp

memory/4708-978-0x00007FFFB49F0000-0x00007FFFB49F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\data.json.tmp-5317155459e2677d

MD5 9a6e94d87878dddf68d80a52b35713c0
SHA1 510b9ba4a66745c3c37c44ce6f0e388c4fad3c0f
SHA256 04d9d92f22e116233468d5fb4e469ba891a0e63c8a9a451d8119afa2283c6f7c
SHA512 af547bf7d8074413cfb3483a000b098816fa48abecc0b2258fbcb0962988b45a113f9d8dcecff3ff922b0f7077cbbea1121652fc24a34296db3046052ebfcbb4

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\Partitions\bitwarden\Code Cache\js\index-dir\the-real-index

MD5 65959bbde684a7c8400622451b4dbec1
SHA1 7aa84a7956d6a74d9bd38979632cadc34b8c6b97
SHA256 585c6b8abefe9a9d08164ab9934f69b1e87c7155b98fd0c21643720b9b9146cd
SHA512 629ab6f03035abb2f9da31c38a8946aea63f025467a7233b7191a7c5dd81fb355669f3145a4fc6d6a1dccb63fb1c957a10a33c3e526f627b6bfa3a7d0ad807a9

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\data.json

MD5 d16fe4c2117391bb8706a6b4af91132f
SHA1 ccebcadd3862d0bb82cc234ae552dde4f4953d4b
SHA256 b092e071273b555613e7271b196630d5bfbdba91f8ccfde8f3d28acd6590840d
SHA512 7c33d939588e2d7cd24e9f470466cf77b26172389b9e30c38fc676a37438ff2bd438ed358f7eae997085963b59eeaa0bdab17d4671edced7a93802709563ffbf

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\data.json

MD5 48d9aa08d6f141f403df787d0bbb6a91
SHA1 37aaaffe7730f09c07fe7c9a607dca5d32dd5768
SHA256 9a3e78464d72ad28f92ec505b8a46ef0000166a1d6dc913e94e95f171cf6aef6
SHA512 77b9ead484e90b0f89981eb71c7fec8b411b537116b70e45ca4af2f9c31241b837c8ecccb806f66a1e9a2ba216bcc5c78ade2359f8f9589e0cfadc69d7a258c0

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\data.json.tmp-531715966431b015

MD5 859a9365da2cc36ee2a1a39be5682f3e
SHA1 5a833203a47c0999a9990f8e47ce3e79ff50bfc6
SHA256 82815b166fece95e7ec82ff67f14d1a2aeaf7cf0f9a136b42078956d12a09165
SHA512 a368d5c79938502a6d20fb33e432f7f3337e8c85f96d5e25b772b268cd7d79d58089ca6b888a705a52a9b2f9fe24a1133eea111b0679d1ff3d2ce99d3bcf8315

memory/4708-1580-0x0000015D841F0000-0x0000015D84220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\Partitions\bitwarden\Network\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\Partitions\bitwarden\Network\Network Persistent State

MD5 3be9cc2813ffa2d6dc9edd8687102210
SHA1 1ddef7e24a2c964948426ca2132509cf8c557271
SHA256 86f550f52db6733dbda0eba1882ac6c21bf83b5bd02a618cfee0210c7103fa58
SHA512 4cd1b25a05dffd55046b25a0e3f8aacac08c40de663d6fc877faef604c32ffbcdd500785230e6f39dbfc1eb377114f1eb90b52145a1ad5ccfdd46100cc80a6f9

C:\Users\Admin\AppData\Local\Temp\bitwarden-appdata\Network\Network Persistent State

MD5 5e910974a2543440aa87f54c688fd897
SHA1 b5df657bad82403cb594146a3b02926273d96753
SHA256 9bbb7f766aa6383e22b7f1f0afd0109a82fd84491701bd73c198e672584acfc1
SHA512 94ccfcff03e4de2e5a70ad1191cdb74be45ff5ef7c0fb59da237a332385c032823f37f93d660a59eca3468b3dab7eeb49d874ba8d068b5b9008f3cd916feeb2e

memory/2348-1618-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1616-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1617-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1628-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1627-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1626-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1625-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1624-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1623-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

memory/2348-1622-0x0000022A17E60000-0x0000022A17E61000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240419-en

Max time kernel

122s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 605258772535b3518e26b2882a319e4e
SHA1 af704842f6ff50a9b883a7ba75399e2faf348470
SHA256 d140713a43114f7ed6750061fa6bd82b4b22c9bc23396196fb83144f91908ca8
SHA512 7ddd52856d259b1c3df4172f8d531bb7d8bde013313508124badf19695a9c6f37f5b7c8acb4b6639757e0e0390ce514b90c4520c3cfa0353ce4f5ea0f0ea979c

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240508-en

Max time kernel

117s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\bn.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 60078d9557996edf647a79e8738e6217
SHA1 fd8e28a142fb09b10d81c9ca062d16eadac26776
SHA256 307c196e5f9c697f6d25fab89c6ffdb676bf0c2158077254ebc7259e406a9d45
SHA512 14da977fff271fa89c554611a08c0d21376dcc09a32f3977604fc315e3598d88e20362009a2d5801f423b03bb7ea22c5dec48dc057af4d7fb8b31cabe3bf752b

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240215-en

Max time kernel

120s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\am.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\am.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 360f7224618546875a673fb1f0b62058
SHA1 8828594e4d6db4bb6f8351b8f195112d74ed5bd7
SHA256 b6eac8dccc58c60ffd87a4c66601df3d51077de62ed0bf68ab1cdaf4752192de
SHA512 03763cb2ebc7c03d1d11fd60ceaefb02d72214ad4153b35b642725298bc02d4fa677ca2ba9063fd69fcfac491bf2e27fb3f9933291a03ab281fd8c99e51d9def

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

158s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240508-en

Max time kernel

119s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 220

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20231129-en

Max time kernel

117s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 68b542a465999275599ec8e5ac92a277
SHA1 16a9a2746740891ff27117865e95243c81eaefa8
SHA256 68d74545cb08037979ede0dd0374c7dc98b36a3b5e0620bbdf4250cb0a567955
SHA512 ac3259cece8bc276393b1fcd94c2183adfad41a90325dcb036c56613f2d976911aa59f7a3f77b4aab970d0d9b605cbdd6cb276621aa822ac6639c18886f9081c

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240221-en

Max time kernel

119s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\ar.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d5a27ed381cb9c7fb8e47903c48ac6b1
SHA1 7fbfdfdc1490eed2822e29e5ea6db986d5064852
SHA256 5351f99cd1cc7c4d20ec94d0f36dcc27f051d51b9f6f313a175620618c9cc3f9
SHA512 8349b9df93c59d3255d75dba771ae90a03cc4e96054d339fbe0c1bbe247bfcefc66a2be0ca7ddaa776760a6530883585c4f5450791b961cdbefb76b5e5cf7076

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\ca.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7fb6158c6997f0f6bbb77ecd0a11fb15
SHA1 8130a5ee2f492e24705c11255e326a50248b3a22
SHA256 599a6e1cd8f54a97035f30d8a1152d2c7bf7f44824c79e66a37095f84e4f13ae
SHA512 4f621f56ee7283ff240492f8254254e854f3286414bffb923710d8d833a87bbd6539add1612b0961af7d62d47fe31b42a7b2f9d6df2153b3a592393bbb22b504

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1476 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1476 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

161s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240508-en

Max time kernel

122s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\af.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\af.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 cdb3692d3b4e3d60898db67d6b70e046
SHA1 9d81322fa881c67de55a6d672914628776766602
SHA256 ead72f981102b175913bd645a74aa038e241086473f601bd4756ac013f6f19ed
SHA512 57b65531b5c31712087b1696cc97380c3d11baa28e585f37723ab5ecd791a18c8cb6ba49439e22dcec30d16c2aa0030f5890f71be2853dea30fcd00bd1b29e84

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\bg.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d546053b66fccf8e96f904422b1f05f2
SHA1 8ceef1209100af9574774e590a26d536f34dc475
SHA256 0efb1f30f97d3c91ae467ab90247dc52cb4d687703f1555dad7e5988d86efc14
SHA512 f74aa2ce7c844c186eb10b2a09ac1d9a1ac43b16f70f8483bbe8d4db027bbd1b92ab4f24dc632eff7ac50f0ed75581816257cc0bf0b0370932739e29f9cd1ea2

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240221-en

Max time kernel

122s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\cs.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 40f02a7338401ca2cf95b873f20d3167
SHA1 d876b14f28fb61257144c146c78b140ec29f138d
SHA256 adc4a7c7ef90f9e7a73379080cb55415c40b4d17140d2bbb7d7fa198164e0383
SHA512 78f01fadcb595b9885f150d7790bf3362be7293b815ee63234b217a2fd14823476288adfb07618133481b128fa2ad0498681ce9299c211b3a9b4d8f962725d44

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

158s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-32.7z

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-32.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240508-en

Max time kernel

121s

Max time network

131s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\dat_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.dat C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.dat\ = "dat_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\dat_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\dat_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\dat_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\dat_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\icudtl.dat

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\icudtl.dat"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e5777562d45c49d69a562a8483560110
SHA1 9cd6bb862d8c60866d84a0d51cdd37ce4940b480
SHA256 a0dc9e984d64076eaa29036e7cd667acd3a5b68335ad08fe78576f4c71285938
SHA512 15341029f1726f607c8a93b1ffa896ad00d70a8d0f19820f189c94efa8b7518e010a0e2377e0d1cccf5aa6fde585baa4f4cbe6b131ce77c2e39cc0e070dca2bd

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:02

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

222s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:02

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

175s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5016 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240221-en

Max time kernel

118s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe

"C:\Users\Admin\AppData\Local\Temp\Bitwarden-Portable-2024.4.1.exe"

C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

C:\Users\Admin\AppData\Local\Temp\2f001hR3P3GVOw8hcMlXrQutUIk\Bitwarden.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\chrome_100_percent.pak

MD5 4fc6564b727baa5fecf6bf3f6116cc64
SHA1 6ced7b16dc1abe862820dfe25f4fe7ead1d3f518
SHA256 b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb
SHA512 fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\chrome_200_percent.pak

MD5 47668ac5038e68a565e0a9243df3c9e5
SHA1 38408f73501162d96757a72c63e41e78541c8e8e
SHA256 fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32
SHA512 5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\ffmpeg.dll

MD5 58ba064ac950343e96cf118a3e9ed001
SHA1 6bb854500a36faec17dc47581bc106c6e9d28ce7
SHA256 cb8217c88a66091dbc93e72f17cb9e4415e166b905630e472583ef3cbe855cbb
SHA512 946bb057650d9f23d100b24e7719383d6469825b4bc543e6babd93748df981513fb7df37d33711ef6585df40e0c569853d369bf3a0977d946f76467f3f6d4ea4

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\libGLESv2.dll

MD5 6a1fdd94b7a1f4f58ed70830b16d5620
SHA1 5ef29f48c048362c6094b918f7379b62bced05da
SHA256 4b3eb64f741fe264baa060514c5136cd980f5e8d317c25c005abda7df471b8f7
SHA512 30f020cf40ae8a8ac34cf847b1a7a3359da68f379c7b78979597ab548bd74437c6e9e84d7f6576e7918083281e23a10652febae0fd93270210ad31f0644c2cfe

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\libEGL.dll

MD5 e79403e425c0e04de8570e75a9013196
SHA1 066581f9eff898dfd08f47fca08bf887b351529d
SHA256 87d9551ae7ffa3b6d40673bbf98ac5c99bfe04c7a85282ae9cc546c8d01687d1
SHA512 82ff0272f8ef410d5abefed473968b5b3bde02304950299f8ca076a09ed4a490db7384ecd9f72c41de7d30f0b7c9638c5d140242d0f1a883a0e722946dbefb8f

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\LICENSES.chromium.html

MD5 1ca87d8ee3ce9e9682547c4d9c9cb581
SHA1 d25b5b82c0b225719cc4ee318f776169b7f9af7a
SHA256 000ae5775ffa701d57afe7ac3831b76799e8250a2d0c328d1785cba935aab38d
SHA512 ec07b958b4122f0776a6bded741df43f87ba0503b6a3b9cc9cbe6188756dcde740122314e0578175123aaa61381809b382e7e676815c20c3e671a098f0f39810

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources.pak

MD5 ec486bb08ef8ccd459ed0991177b327e
SHA1 2ad4598a1fb4df722623ebccf488f59276c008c2
SHA256 50532d1ea84ca3b84ece09884d25e4b0e60ad6061ce4b28fdfdb1f7ff2d26d6f
SHA512 4358edc81aef7b51bc1462dc7e96eff8358c788e3c1044c4697dd9d9ce03fc44be22743d4d104ed7afbf1b36246c171e754288c873c6590513bc99632a78fd68

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\v8_context_snapshot.bin

MD5 1e4da0bc6404552f9a80ccde89fdef2b
SHA1 838481b9e4f1d694c948c0082e9697a5ed443ee2
SHA256 2db4a98abe705ef9bc18e69d17f91bc3f4c0f5703f9f57b41acb877100718918
SHA512 054917652829af01977e278cd0201c715b3a1280d7e43035507e4fa61c1c00c4cd7ed521c762aebd2ea2388d33c3d4d4b16cee5072d41e960021b6f38745a417

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\snapshot_blob.bin

MD5 d20922aefcad14dc658a3c6fd5ff6529
SHA1 75ce20814bdbe71cfa6fab03556c1711e78ca706
SHA256 b6bea91727efb8c88e7c059856553d3a47abd883e60dd60efc01b04dc6eec621
SHA512 dbd63a9f01feb3c389c11b55d720b5d689558626041fb1dd27ded2be602e5e2a8d210f785fde025d7b9959f81de3df7fef06981269b58be564df05aec190dd1c

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\af.pak

MD5 862a2262d0e36414abbae1d9df0c7335
SHA1 605438a96645b9771a6550a649cddbb216a3a5b1
SHA256 57670eae6d1871e648ad6148125ee82d08575bec5b323459fc14c3831570774a
SHA512 a789a4cad72106a5c64d27709b129c4ae6284076f147b7c3fcb808b557a3468b4efe3ede28033f981335d5eab986532c0497ddd6ed24b76189fe49366692ee73

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\vulkan-1.dll

MD5 71f64fd0b1a6e757c900e29573130b46
SHA1 48e7e7c96f67590a3bdafac77b94ffb688c67eff
SHA256 5e10d5cb210911799f27af726987d3d0377d8260df124a731fafa177caa14d78
SHA512 9e35cba89ead9ee4e72788ffa7bb981602ab042004ab04345bbb4b5017f8868a5dab38094a3ef591e9b6cae67b7b4ec2957fe5c0037968ab97946059af87c95d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\vk_swiftshader.dll

MD5 235183f894bd8ce5c9e922035a0f87a2
SHA1 53e01b9de0b631ddbc835774d9a0fc1ba3891cc8
SHA256 00e0e23fd03d235bcf4c53adcfc07badf0b87dd6d3249535c5c2b45ba38dd566
SHA512 13a3bfca54ff8e6c3d1225786b94c71e8d91e5ec5b26f92db18be8675d891421606bbb8dd3759b5b2ff0e95a28812902432cf0093f5dc810905342c5dbc0996a

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\en-US.pak

MD5 809b600d2ee9e32b0b9b586a74683e39
SHA1 99d670c66d1f4d17a636f6d4edc54ad82f551e53
SHA256 0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb
SHA512 9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\en-GB.pak

MD5 a1aa885be976f3c27a413389ea88f05f
SHA1 4c7940540d81bee00e68883f0e141c1473020297
SHA256 4e4d71f24f5eea6892b961fcda014fc74914c1340366f9c62f0535e9b94ae846
SHA512 8b6d67e09fbe7a2152a71532a82c1e301d56cdde34b83a9f17d9f471e258b255d5b2d4a0c39f38581da3a31cec24fb403156a8e493560d7206e1ec3db7e68b72

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\es.pak

MD5 d584992a0670c5771147c01266d17362
SHA1 d6e70e43585564d520e4b1777fac0b1e7bc6ed37
SHA256 f6a01c26bc18dcf701e1d4b6ff76602f14c4bb9adf9dd176c9107d5aedb4503f
SHA512 39db436a05955a3ad3b54ace4f2f0e8a313797d3ae8eda9cf1cab6f2ea1edba0a82c30f3b589b8c5399ed06e9fcf4ce9059d3d5a07472f05ab1f0819e42d5b73

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\es-419.pak

MD5 088de6d12071ea5cf8d4a618ed45e7d5
SHA1 f12a76d18b84b17906f5f8cfc78cbb370b026b09
SHA256 d1019c780e836e0c30fe01928d23ecdd0ca04ed8ee886adb3428e3683e4ed6ea
SHA512 8da7326cf99cce53d7ccbec0c177ff9cf6dc0009431d6c89b3e8f0475bbcd0dac4c888460b535c1070ced62f1bf1c614bb0fbe9c5583e66c42f30d6e025ed7d6

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\el.pak

MD5 16bcd10bc81dd8a5b3ad76c90cfb9614
SHA1 240395860971fb9205d28602d4d4995007ee5c75
SHA256 6a06d1d6b566214f7c3b693052beec488f7aae5ceeca26781a5d66fade39388b
SHA512 353a26b21848f4dd30b3aa1f4196b23571e177893ec6912db4570493664ed987e688fd66c04e509ecc58233476ebe59453260bc3569136f275fcd681ae54a174

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\et.pak

MD5 e7ea23d6304d5d600d884f4e3b3cb2d7
SHA1 99fbef7eb1bde7df398cce9faf6c7c357769334a
SHA256 292eb18ec61502b0e952b447f73a66143c56dd95f170981945e5aab53a6b32b3
SHA512 23dfa1161d11faf440241b1f48f2ddbc8ec086a8e18da351734656551f0f54fe4c94b490c0d3ecc378a3de7f7713a1626a7a6c21da2500b9597b44fd08197d50

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\de.pak

MD5 141045fc1f94f93e82db06db4f7321c8
SHA1 d63d226c531a710359cb65f4e6aa190f593b4d54
SHA256 47253e2fcf0e4691f29b3ebbe8f888a97b28d6aeaf73ab000857a6b8d0907ff3
SHA512 85c27fdc9a2cb9310bfbb05d0bcd668eb2156a37765d8fb59496739f6f1eae12afcbaadf5eea8f2db2ad8c8a0602f83500bff9cb71a429174a80bee16ec10118

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\da.pak

MD5 0e4207e2cf5741a8968617df9174a681
SHA1 bf9b7558141ad30bbc921992e48d48cd6d6ab475
SHA256 438d2b1fd396c2108ca3902f69eeb372219edd5d95fe70970d8ee9e64556c9a4
SHA512 4ed8368013912c408f7e5f7b4f6f1748834e5506307b92f4b669c557efd27363a55b4e2918eb7707e798878c9492b765f24ab9c90e843f54e8641c4646bc72da

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\fa.pak

MD5 e2bee9eeeac231de237100fae0aa77c7
SHA1 5e5eeb59656e2f8f4f62bc618966d38cc06a385b
SHA256 7a856070430e3cfad15b96b153b1cb483cca9a1b9a43453df3707b09c748a3f2
SHA512 5593c4a48e679f0f6283c3bca69838f581b6f928cc7170737778458393b6b85fab0e6ca390bc5da840f4b79de9e638015bf341c1a95e8f99770886f5354ecff6

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\cs.pak

MD5 70f320d38d249b48091786bd81343afc
SHA1 367decdcdad33369250af741b45bdc2ca3b41ab3
SHA256 1c9448ea3aefce1a7e1491e73af91af772d8b22d538676a2beab690558e668fa
SHA512 02b08ed9261fd021e367995551defaf4b4f54c357409a362f4d2470423644913375cac444f62153ec2963a84880a30a36f827dbfacdd76a6222838c276cf5082

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\fi.pak

MD5 a9fc339d49ea069bd81380ae1fa0ef11
SHA1 5f376072f38e94e252d72c5660d8120a41d73469
SHA256 e6454458dfbe150112c37f8b02f8c72c593af22e8be16980ebc854ad113fb763
SHA512 3bee6723485a9eae4aa9bfd4e7fb490ce7a0aa12cbe41443b8bd28a26fe552cd31f4a1487bd98c6bc7774df1ea16b1de94ed0f52af59baf9e17b3db815404c4d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\fil.pak

MD5 cbb431da002cc8b3be6e9fe546cd9543
SHA1 19fbf2715098fc9f8faba1ac3b805e6680bbcca4
SHA256 ab107369d45e105a4cb4f2f6bc8da2a8c1b6c65d5e94a7ab3e703e619c083dae
SHA512 3cabbfd021e5814587dad266c4f5c9f624e9d9278f22658dafd65ff2ad2bdc5f6df8a8672614b296cea826819211e12f8e77f183007c0a79075e2f0980b99911

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ca.pak

MD5 d193a3ac614f64f4754c9df5cf00e880
SHA1 0da0f7c1a4048074f6fe9d70704aa93ff75e42f9
SHA256 4ecfa3785ab52564e0bd7dda04d59a30163561588a04f3bd1b1b71de051d2c53
SHA512 e85d18951f9a1a86514d577f9b19a4b3727523c15b4ccdd17217f6fdf69a0e774a36874108a05de1be3dcee1720b0cb19eced2d3283f57f41f5f9c5e233e1c68

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\bn.pak

MD5 c8173f0cc63ca9e02c07abec94892b53
SHA1 2688b199cc40bb2082247fa451eac1304608e48b
SHA256 e6adcfb4f3b3bccd4a27edadc168b503c36551cd6b27fb24043efeb21f691ce5
SHA512 3d2317430722dc15c5d938fa55235af1caa03dcff7a574b44d37d89e7cf2c94dd2e84518b3eeca4a5a8dbec1b99d94aed97429aaf55c63998002d50ce9cb5019

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\fr.pak

MD5 59e1e573153a209c56ae3bcb390b898f
SHA1 45f8a5469651c032c453b14bd68c85cdd6c75fc2
SHA256 976622fb851378f57f81423e5625e40d0753d7a5e34caed2c39e4b130a3427b8
SHA512 91f1b88ffb9f3362fbab7d607a68c4ca65e6b89fef7de0c986067ef7fd013c0ce35bce328ff3546cb7aafc296993e46a908ac506bb6a141088cfbc5ead948ba4

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\bg.pak

MD5 0e8005b17ac49f50fb60f116f822840d
SHA1 f2486da277de22e5741356f8e73e60b7a7492510
SHA256 50e4f6b9c387adf4baba3377c61d99326cc3987928d8d60b88d1ac29352820ea
SHA512 5df18bbeabd56e70d4c5a80dee5b7ce48259000665941634937e556e3b3a1c6403aa45c410f6f755607549c9dd35d722987b447c50efca51228ffeca4628756d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\gu.pak

MD5 a9e6d8e291ffec28551fccf4d1b06896
SHA1 adc9784433fbf2ee89bcfe05baea21beb1820570
SHA256 716ea0433e19edb5113dc8a25ae67c2587bc17c7fb63a93ac473bdcef8f72d34
SHA512 3a60002dc6a9008cac78bbc050fc36d1053bfbd21ecf4d0579b2780985d4e7a7aec94483d8b0b8dd7a899b8435d54a27bba68917a23945431183eda021722697

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ar.pak

MD5 2b2dfafb0d258c1d2b58e51ae1ee9ab5
SHA1 2a538491ff4023d29bdf2a053447c6016138d9f2
SHA256 ea49bc2ceb6b185030eaa0ee0155feca90e632390417299113b02fbe365ff731
SHA512 6b629ed83edfea1b1ff3c379009332e413c420de651a24160fae859e1e0948fbebab99c9da714df6dfad3b9e472dece7bee95815ceca428183f4ac0bd6d42ff3

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\he.pak

MD5 ec16b50e6575cd6863df282847cac3b0
SHA1 a59e089951c3a5dcfac165774c68651055b829e0
SHA256 c3955c97b6998f1806f8871fd3137f6f504bdd091f8bd1ff5ab8cd089474ae8e
SHA512 3c640430e3391be156aab26f6057e966348dff50ea946a02db947e2316d3a915c29f329faa26725a90af4d06ead7c7fc28cfa7573033b2b9546fd8e4d2bb7ab1

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\am.pak

MD5 4eaa15771058480f5c574730c6bf4090
SHA1 2b0322aae5a0927935062ea89bd8bd129fa77961
SHA256 b05dcb8136751aee5eced680a5bad935e386bfce657dd283d3ec00ee722fd740
SHA512 b67e7dd24eadc91d4cd920f8864cfb23a9c67b2cecd54ec97e01705636604ce504dc417d6af1c53f374b58eddf71a12bb82248bd8fd68307161d4833342681a9

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\pt-BR.pak

MD5 8dabbceb430a6bc190ee344541fa8e2b
SHA1 44c7da04bac8c9ee67c8d6a0eeb491cf7ffd2479
SHA256 6d54f87f6c8b5e01bd0da9a961236344e95e85c3dc55fc92a34542777d6f6275
SHA512 4d36d527f1769501d1fce208738028d5ba142716a6243798212d5a2403dc5c950dcb3399e571cf3a11b1f35d845a6ba6798c38074d0ed66c894b1c18ab800159

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\sk.pak

MD5 fd001b1b02597bbf16baf3f0baf3c6e4
SHA1 e4c703fc115e02833fe08caab1e62775b5812473
SHA256 f9cd222838721a618c23c8f6493bc9699c795c0063998f1a8d506b4b7a297cdc
SHA512 0ee991da6b8ba1bcc3cc27abc645af43bb93edddbf182496aafeeb401d71ae10716335ee0197f1987c21b3abb441aaac968b9a76e75ae77fcba4cc48847f5b1d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\sw.pak

MD5 9808a9df2da0844b1ce1a2a4213c48d0
SHA1 541f24f006ddb3361ff1e5015f097ab799120fc4
SHA256 1949953d638f266ce74d84c020174c074780166b880e7c2ec38bc6047bbb8ecc
SHA512 66b256e02ce11ea0273cc5bfa78e56faf8b250208d1e868bf4af77cbefd1c891708573d63873a5d02436f884544a6550176afcd3a8220cd35d64b88987e94404

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\th.pak

MD5 a4d1594635d26330ace7054bc025b76d
SHA1 bc4874a6a3b1d1886f05858ef2f653ab3520451c
SHA256 f06a45f0395c3e42e42c46de2c19a2a104661b47be6f9ee97f8c68b05706ef1e
SHA512 731485b139ba0ed80dac5e582ec36f53a805a867ad33551741b805e851a9d2356fb1894232395d4fdb200defc988bcf6d51e58834b542c398c1012e389953a3d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\tr.pak

MD5 193f0c0a8218f05657e2590ea4ee6004
SHA1 dd3ffd7f67f72de879903a231271c20aee56f695
SHA256 676d46d19d1673eeff4f5e908aec3b53a6273c440e69e7d655ced6c70531cb9a
SHA512 28606d710d44c9a82c2849fa5ef989bac1afab53cdea99a825f80aa41dbd38a9ad6f0f44935f45439922ca2bdddc89c61f8ffcb999aa13fa45558551d5216e1d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\app-update.yml

MD5 8858558e639001c30aee3d914d2cbbb2
SHA1 33be51c036e5e1dd2891b6fdef4004cc3d429c73
SHA256 5104dfba2ff97280f975d131ee2b0007d13225b95aa95249ac4df3127e8158ba
SHA512 4a89f4c4d000e28cf31aca5423590f74acd6a9992085a8753df47337ad2dceedc1431962c811b6a1753a803301b7aea46210ab4cffc0caaa58dd497c7f38984d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\native-messaging.bat

MD5 325b95d51921c4cbf57436cd85b8b9d0
SHA1 0e0e6ef742d5bf17fc513c4592d9efdebcf40b78
SHA256 52930e572fd6c0cda151f360dd1a83580f910eda23f5fceb400227785c55aa93
SHA512 f3e3154d11beb7e4400815f20427a572ac33b28a3a395273361259d659bbbfadc596fe9e8d343d9c2c25004fbe4781d6ccd63984e2eeb275d0a54a3840e24bc2

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\ArchitectureAgnosticRegistry.vbs

MD5 310a042dca2144c9cda556e9bc4b0c02
SHA1 d2032af7eea0dbd027a36e577567e85486496949
SHA256 caa82e59ca92629057791cb1e0ba0b74c90f561fac81b029033fc081a83431b0
SHA512 843d9f6f300caba8df41511473c43f4d5029fa0012e593677c83f196c8d595194d1409069fb4b8616e0118f37ba943bbe656b29de40f0ad70997ab610fd98db8

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\regListStream.wsf

MD5 ee5a8ddc32d31c4088ea5e15a5076d6a
SHA1 0c8667d5899b7924994d39c8b887a2ebc9b50a79
SHA256 d482b452af9da79c27db2341891841ec4cfc1d18d5685778ddda97f082f313ec
SHA512 b4ead3a4cf5aad1a88f9d24e5dd9a7418511441a3ad23634102cb8eb7871b10c2720368f6912478f6dc1c627fc051fb2c81b9b4c0f54a5d50301eb324b437c99

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\util.vbs

MD5 e2be267c02d51df566fa726fc8aa075a
SHA1 c9b9ae17f36e23d5d3cbbf2d6f17a954bfa87d24
SHA256 b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c
SHA512 b6f80622a9f61f636f7786d91a1b9e06a64602f0898425e90a1a696d0a4855c8c08cbd6e6b98b9a3a1a24de354b26260247953b5273f7d57ea87294b4b142e8a

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\regUtil.vbs

MD5 77e85aa761f75466e78ce420fdf67a31
SHA1 4470bd4d215d7682828cbc5f7f64993c078b2caa
SHA256 350dea3d6c8e65372f8d12a5fd92a3a46a7519610c69564e8185a2ed66b00d59
SHA512 50af664777545ced78c34a6ea35dae542fdb85b8b307a4a4a95db25a808a695d3fe8840edb36325279c2381fbae071f6b509f7491185cef2f42afcb7672cfd13

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\regPutValue.wsf

MD5 41e0ad02b82c3dc024b68d95c98ea10d
SHA1 956116c92c52aea91cfcab3ce331f9ec27f27f7c
SHA256 f25a275cc00918ab1633f9026e66ff194a43d843d799f3edf52d527f7d3209d8
SHA512 8bac8bb56e8825f31f774977a2bcce769196dca8093c43a11737b581786d57f4808d3fe97262e062aaf41594c46a320f1065e5726374b66f2fa577cde8f07f5f

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\regList.wsf

MD5 cae7db4194de43346121a463596e4f4f
SHA1 f72843fa7e2a8d75616787b49f77b4380367ff26
SHA256 b65c5af7dbeb43c62f6a5528af6db3cb1ca2a71735a8e7a1451796f834e355c2
SHA512 ccee660cc4878301c743d3ebde4557dc180d8b6f77c97de5e36c95f6e4d2446ef7be28ebc787fdea2f2d817890ac7bdb713196c755a51677dc127cce77670026

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\regDeleteKey.wsf

MD5 82bd86d76a25e9d3bc5e7ffb15311b16
SHA1 f749b997b38de6df0f06380049e0cc370bd633cc
SHA256 3db8ee7f2056d79a97fafdcc7369867e7b49ecaa58b7c6ad442be858e1dcc6c2
SHA512 eb1876453aeea894e0c99314f20d54883e45aa29a9305e3a1cfc55187bf9a4abf299d955a7ee8f53f6480a10cdc803e3464759e01b330f93264892fc999823bb

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\regCreateKey.wsf

MD5 04e6d736dda6eec814e5bff7121a695c
SHA1 bcd113f9b374f977a81e52f1be21c35e9c815c74
SHA256 44201185e05845fef8b56ba9cea0194edffd89d0465b86e055292f84f19526c0
SHA512 6db255f72129f080dd259a3e7603cd1c21702a8810454c7935affe9a9f443a221a614a39cbfecfde1b2e13523992bbc8c222a0d763c018bc4ea10fda0cbfb468

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\JsonSafeTest.wsf

MD5 b2f8fff6092358229a94cc309ab6c11b
SHA1 e4c29b96408d58d9196ad971cabc50d05bc94c4c
SHA256 c2fab2eb9137feb5ce29833d58690a0735703a0bd2f38538061758b47a44105f
SHA512 a1dae465d9b9ba874d1497485e08d83471d3b97cf1143dcee6cbc24c0121bb6f1fbbb8aff66239aae46ac0b8451fafb1cf7e7a989493b9f91423dd76756aad7f

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\regedit\vbs\ArchitectureSpecificRegistry.vbs

MD5 ee5af2ed3dd0d9efbcd172026bdd7260
SHA1 fceb14612cd086a3e285b5e137b0652e8603b354
SHA256 6786fe4e7f09d2266678e2beaec09c5bc7fea8bbb2c34033f37a2a4f3779efc9
SHA512 b166e68fd6d17d8029b8a2cb3b0ed14ce71b3c607d5182f10e05c7f4d8ecf76300034835670031e283f54fa3fb5dbc165e1ad9a4120140c3fef98a34d834250e

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\app.asar.unpacked\node_modules\argon2\lib\binding\napi-v3\argon2.node

MD5 1ecbb5d0967915877f1c41c99309abe5
SHA1 00f906a0566593f9da76066092b8d691812b196e
SHA256 fa6165d6c7f9db653d0cc370e1e5f03f716b38708a3cfb8c8d92deedf7d8eed2
SHA512 9b348f0fb649d6a1e6f544418e16e9eafa92f7b52d734fe08c26bdb68045c84135f20b8601186df77bf4775b95d72f3c51dde9bcc5a8d908fb4d3e027922e474

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\app.asar.unpacked\node_modules\@bitwarden\desktop-native\desktop_native.win32-x64-msvc.node

MD5 9536a5cf74d052c33669fd8b45230cb8
SHA1 a6cff496275c4a0838a11a5413b8bc67850b9af6
SHA256 26c9676ba3f16568b170599024eee9907df0f6f83069b190cee2d186039af962
SHA512 32f920a76ea3cd469fa7e9ae36a249f1e6b241fa2b8d198e4fb581700ffd23ea07ca2670709020e2751edbf652eb92b6a3b4a4712fc26540b260a28a8d7f5a19

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\elevate.exe

MD5 d5113308747f39bed0aa55c99f6a3885
SHA1 0f4ce4fd415240373f3ac1f6d5fdb1579b181812
SHA256 109f1bebb056b569f521a5c7cc76282b1e5933c91a6dbd7242c661e486c394d4
SHA512 33cac50d5b6bbe1a262832816a9f062e8a4b5d2fa9d92fb98f940f06ea8ef3fb373796b366310dc760ea51e454954d09e9dc9538341e4437f65b65caae68a130

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\resources\app.asar

MD5 811f444a43fd2238857fcaea23518966
SHA1 d2176b3ea4fd6f2ad3ea976a3b2a75a9b5bbc91f
SHA256 6b18eeed01662213559659962b65d71c77996aba71e78316ede5e8e312f6e2b1
SHA512 c649acd8cd005d49f8bd097db9ab963d81a03335174bf106260ac51278c7777f815370f253b14eecfbad1e2ad9a940d87bea2cdb12d00e59df0767e6f1f6b817

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\zh-TW.pak

MD5 1eb532e97b84db33a50055bbd7d36200
SHA1 7aaf0560a16a9754059871a000d237964f3ab0c8
SHA256 6a43c8fac5a0ce7c7a21b30ac7bc2167488e17c81c76c00f0b92b49e9e46e469
SHA512 c946d82bd6ced6e61b35acaf7ace1a61f226c4891caaeeeec9ce4a3ab45e6f43c35dbb388d6d5fa925ed020d7d10f951fa2048269d0585ad3b723f5ad8f4eabc

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\zh-CN.pak

MD5 d1145f2dcb13c5ba797df5a0792553c8
SHA1 e8d9604300d6413fc896d252a0261be2dfdebfbd
SHA256 6a9a1f5b7674da36f20cb76af7e3e75e9e56873539e8a3b32895ebba439af83a
SHA512 f54adffc7d40866fd53dbb238687116d46354f79580877b5d4d93840494e604deaeaeb7e825f6a00d020f3c58d1fb9df8af667feb64c86f243ecab57765623e9

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\vi.pak

MD5 e088be14dded779f50feabc4906d5ae7
SHA1 0eeca2c7ea82a03b6373c84adf1a890f29e18b05
SHA256 25aeee59775ae38b21a091107022312fc228f96dbea906042bf3626b7cf86b98
SHA512 af9d1e415a6d06c28df9abaae1f337bf4dd3e323dfd5560df5fb35d01c6801b9145072ee85ab4c524c489fb6cdea956ce327b8c4f6820197d76fc2f33171ca3d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ur.pak

MD5 29403f3d5c8f6ae2a768de2fbe8b368e
SHA1 da83015565980ea1a24f5493be6311f06427269e
SHA256 2520ba8471c840aa075075524c4ad2bde10f43fa7a1b623aa14555180ecd30ef
SHA512 a0709280adec39633ca19daf9f8bac6c17a999101246778a63cd9e172dbea2f281b20ce197290c4af6c7601ee7956da42f17e31461a1bd8b8a4bce3c36dc87b7

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\uk.pak

MD5 83e5f0092b6d72403b60fe0e1e228331
SHA1 989ed480b7ef55dfc9ccfbef1a5b9b0e104693d8
SHA256 29d68d90512ee9952635c7e074d5ab210531d93ae24c11a8f91bca20b685e9a2
SHA512 9895928ee516db7d4395b2788135a814031b9ba45e3a837e633bc253b08d6f380e4078d4d3fd51ae37502a39ff45a0166969fb62365e890f4960a51040b20941

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\te.pak

MD5 d262c33a8c2b4949dff36cc1980e5f05
SHA1 e1ad725c388c4a1a386b4ab6170601863c943c29
SHA256 09ab1ac2b69f868539d4f2e59dfea8c3c2f418a5455777e4c91d13c5ee55ab4c
SHA512 0202f6ac32878926422d542ea96b0bcf8b168f8ec6b928121c368711856fd5f4781a24b15851cdb5892246b355d0dd37504d4599b24e9fe8a723b8dfbfeed29b

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ta.pak

MD5 d50aa6815b63aff8c443622cb8bfd849
SHA1 fd247855e6e428109e7bf2e0018580cc6e0663c8
SHA256 6348cc2d385b9808fdf1b815914dbfb26f552da4d10f85b2613a5e6e9f95b8fa
SHA512 620e2f9ab9998c68d667e32ad9bbfa2569f7a60fbc2a67d7492c6c215af2a1037708e38b4ed7932074d29a140581fe0ffedddb362133a941966044b98eaa50db

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\sv.pak

MD5 a813b566c9e630910e6ca946defb7202
SHA1 2e25d2479715a572c096ce19b8dfd7a6da5339eb
SHA256 48a71912e4843b03358fede7176b2e57ced83d3a1344a92b989886374dbded62
SHA512 b348404135e147cef93c246c826107f9df170b294e9d0cbf576d2812d0ff3d2b7794ab5aba55cf729fcf7135a495d2ff591db62fa61e2998290ff02538a0e48c

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\sr.pak

MD5 5d70a218b7dcccab0406fa9239ef800b
SHA1 cd231758f84a0d56545d0a234a58757a18a58d0c
SHA256 a2bc6b064ff1f7b15707f61bd76ddd9d889bd982c4182e9e74272d39c6235c85
SHA512 ef6f71e0d9782b5ed6706d9226c1a7fb5a4323b8dc8de25737c7dcca87d04c16b545372127670de312079be993823f565de1aaaf5ad833bec5baa0856c19b0f3

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\sl.pak

MD5 ff14d5f9484350396780bea7f3bc64ec
SHA1 de097f12b70b552824de69141d6ee1969275eca4
SHA256 b174c4c49654f7d65d223568c700bfaace74238447ae63171787236ce2aab00e
SHA512 011bcc3980d21e0900d1da334a28b72623b22b527a4fc3d96a8f78fb055dc87cd1433a63d8b4414a0a86cf2ded5833a395214910b17433a0545e04d1ce4875b8

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ru.pak

MD5 9ef6fd52dec5613f9e80204a84c7f2ba
SHA1 fbb8c9db815126fca3c62c810432a71b6965f2aa
SHA256 d0068b9ddf8a9e6a5b1186bd0e00ed9f09224ed56ba7e653e2d54158d938c6f2
SHA512 0fb442ef86f75ca2cf58a677bd25ffb7c420f98250fac7f5f25e2272d4e7dc505a5f3eb3665b62bec189496154b05a1462b6f17a0e9aeafc1517b71e2d813953

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ro.pak

MD5 938e62fca60d7b54e9c54cdd1f745f06
SHA1 5a61a1ef3ae855ff436c5d7f45b6ec271a5228aa
SHA256 82e69f505222125ea62f8e90d8030d82a1bd49871192cb4274a8fd9d0e03d577
SHA512 d3f43881fc951c961cfb34babaa6eba2aa9175865dc07542dc529ab1c11d15703c03a7e8193c004b004d13f0a0672bccb2fcdd1cd88f32add159c337281d6d5f

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\pt-PT.pak

MD5 4816d83e54beaa2f94c671d56361c04e
SHA1 5cae66c0b7079d778ac87ad48777afd85b172d2f
SHA256 a903ca2a8e52f987e23d040de7403b58d925a6c39668d3bc0822fb2aadd34cb1
SHA512 0d3a39e1205ce9366818cb51d38db035b80448dc1e2d2d6bbd7d5df693641582043b45b4a78bbf2334159616187dc85a51e623bb6878b1498d9bc7acd2a6ffab

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\pl.pak

MD5 7b5d41611b92b24ec8b36b66feb11f9a
SHA1 3d6c36f404c29d59a24970585931860453f5c88a
SHA256 69e16e41f5fe7fa18557b938874f20cda6879f3cc616ead9a815c1381fe94158
SHA512 16ba52cc799132e4525d220ed595d3969d4cecf163ccea6b62fe2211003b0cc44090c4d384e9cc4e32800181b7f7e0810da5a0d2c908f4625ff8382cfa3c177e

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\nl.pak

MD5 b525894276852be4ab42ab7044fa164f
SHA1 d3d035522265718def8125f5c4a1d3e74832dc2a
SHA256 c7a18764ca908ec7f66c48cae2be06fef95213d7a5580b45f9bacee474456167
SHA512 36b11f1df92df27b007fd640b589c6b7b30cd889bc297635bdaa40bfcb4332ff20911edfd23ce74c1c8963dd658f77bf4b9af50d3c281717f58eb23a598783bc

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\nb.pak

MD5 bf9bfdfab1479bb52254329d7aa229ff
SHA1 cd9ff35321731b839ea6e5f31f5de0bfb475666b
SHA256 96747543d9b2dbfb4482d4c24d7818d366545b2476633ad4fec8cc958ab760d3
SHA512 ba8e62d0a87c532ff46f2129724dd2f1bfdebd99c2606e0b9608cd07841776faeca15d04ec6241020c232d4c07809d718f40cf4ad9231d6a8996d55973486629

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ms.pak

MD5 d22cfc1b78320157685839f14253fa1d
SHA1 0cfcb5c176d708e26bbca2427be611ce6609eb93
SHA256 c7b56e9ca2f75b4414c13144ff4deee1459c2a7cde79730d863ab234cd4c2f8b
SHA512 2eed40c50a63e362dfe2f172d16e4545f5b19c673e71db674bb004e4e6a4cf793ed4a44ee80d86b05aaa6cc4356c207476afdedc2b35017421ea9b9fa6ebc81d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\mr.pak

MD5 f26bc5673e02a93212220d71cf1bbac2
SHA1 8d0ab40fc2b35b75f99538951acfbf6a348c73a3
SHA256 0877f2e75e0b9f5e709f0a0bf7cc793a02ff5bbb28bd6a8b6b6012760c1bbff3
SHA512 9f3a629dfa116cd92892d120f0fdecc5f57043dad232311bdc8c218ae9317f49e655b8b8dc8399639231f2321013190a667d22b6b2735bbcbc375c438dce9aaf

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ml.pak

MD5 b690b0f01954735e1bcea9c2fb2ac4e4
SHA1 8d98860e202b15a712822322058e80a06c471bb8
SHA256 83d187cd70048f4129fa65ba148c74a04a47ee1f14218e7c85b36fe83e87b5e3
SHA512 786f08019a0917d0b3f29aa2d1885db6a6f995990fd8faaf41a9630f8347b4d210a844cc6690a41b4af37d60e11f41fd2675df1a01bab5915e20cd9bc69b4541

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\lv.pak

MD5 393c296fabe0c4c64a7d6b576d7d2cf7
SHA1 16c0605e5829cde9738e1cd3344a59b74fa1f819
SHA256 91642c04de64f88a5c49b4eeaf5d627554e60d56fc40e7cd58cd2601b0d3dbf2
SHA512 067cccb059d4526c104880a26ebf04c7e2498c49c5641abdc91785e859bc0be1475ec58cae9ad1eb076f26fb9215ac246155e123baa13c06a05e4f22a002c2ad

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\lt.pak

MD5 edb2c872a4fec5367cbe68035ef0ecc7
SHA1 b4d42bcc83c98dda1ea2ef962d097f6fb3d25c71
SHA256 1bd385b780f3d13d41f8cf782a322e37be889aee273ffde3d8959e0ebcaabd0b
SHA512 dd801a1aac2242e3f532e968b4c9639a2c8bf3eccc17470d9aa8bd6730ae4be3e7276fb782c7908bb6f87d3ade20a40c644b9db5d2201d96d91fd95ebdf429c9

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ko.pak

MD5 cd2310448ba6689cc73d0b2e6dd2791f
SHA1 7827179d3fb98a5abc2ad38e20d942b83b397235
SHA256 cba6b7633cce796407821264e176a6266f80c1799ade16bf16893d68144236c6
SHA512 c3069bab640ae43856330bb8b3a0e0a4ca058a68a0fc03b8efc0ce1dc2b517f11380fbc641221e29b4a527d685ece72107fb83cdb9b539390eaf6a30c21bf36d

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\kn.pak

MD5 59e6642f09ce97cfa4a4173413a1b036
SHA1 777a96a4aefbe138f26c8697e66633452285eb2c
SHA256 58d16195170f76e40e18ee0ac2e10e1b73bcfd083821158927a7d67a51bcbc42
SHA512 66deb67a4ce1914f5f27bb6423e5be62e05d0a36320accbe653572a437ce033ed5d26858a62d8c57476b34e1718d580f34ab44a3886d8d22d17f642d70f0138e

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\ja.pak

MD5 dfd5ab27c326a1e1f87943a3079a2af2
SHA1 3aaa73a6668e1249e4d51c8fa8e0c6868fde9da6
SHA256 8260f4c9500b64d541386a8515fd0c9ddef82e3f044951b7b51a33ad81c1128f
SHA512 d701674fb6e19bcdf297b19a9fe3b81c7f446019a8c2fd3e90e19294765b1e8ad4f0e40e4bac65b2db313a4f83eb050b5871ee4d74f9ea372208b7abd76c524f

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\it.pak

MD5 e0e5580e8882f0eae4b5b21e6c7828d4
SHA1 51e32e51458b5839112ed9dcaf500403c45ac1cd
SHA256 a7f555e7e797e1de1a66cfca8c7b709b0e542ca62e7de96e034701fcef316d0c
SHA512 1a2a4948a5538158e6dab7ca7b3b780ec7a66a0aadb889fd451e07b32336ea08b88b5d57759e335fa967f3b4bb1282e952b97e496d798758159c70eed2e5acb2

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\id.pak

MD5 6a406a9adb5c25e35c6838828ef30c17
SHA1 2a1ea1dcb75217ace04254644845cd038df6a980
SHA256 af63384cf7d1d39e57decd823dff7538ab2b1e7e36e9ac61238477f7889d1d46
SHA512 ac7afa288b768a730027db0780b0f7c9f42ef990e4e22751ef1dc85e4841579a6e252293fb04d61b0cb591ccaa5c74d37bbd380afa15308c80ea32070019a361

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\hu.pak

MD5 0b62fc2b60b8a92dc506550339766139
SHA1 abf0b1ae99ae40d87f86ee04bdba467674fc1039
SHA256 6ca150d0fc35492bafb411bbc520f3b34da6399969fa9685ae74201623882560
SHA512 aab6058e2f41282ac5a9394cdcd503efdeb6b9eb8b9a64cc1215e31a806e60a34966b6823f91a97bfb81656d91ccfef3a226165811e6f4208fa436e1d04c1242

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\hr.pak

MD5 d80178f9df2b72a24a7dc58b5aa13229
SHA1 cda864bbfc6935cb4e3e30a6eaeabbab5264d01d
SHA256 e442d083c32d752d1ef2225d84a4f1a91efab768e86fc63a7ed22c10fbf7e520
SHA512 c08380fc0c415a529a035e6e9c0eebc719766c656a3d9e3a782f21b4fef320688e1d11de8c3a5d0e59a102c9fbadcc960478a17c534500e137f4cb0e697ec9b9

C:\Users\Admin\AppData\Local\Temp\nso2AD9.tmp\7z-out\locales\hi.pak

MD5 18bdd1d8d1d5c6a5fb2678abaa1ef6a9
SHA1 e40602e86e758a518ec70bb6a9cfa23107955301
SHA256 1f49622ec6682c90e03fc42c319074565cf9d3532a2a4e3798e2f6cc159b2e8a
SHA512 c859118e7c1be0642ba9bb1112a98a8fa7114a00711f578971a55aab7254b1ee9bb3899c852b79a002596f29e02f487267aca7033e38cbfd14c90b2989b9595e

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240221-en

Max time kernel

120s

Max time network

132s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-32.7z

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2036 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2036 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-32.7z

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-32.7z"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:02

Platform

win10v2004-20240226-en

Max time kernel

134s

Max time network

199s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 628

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:02

Platform

win7-20240221-en

Max time kernel

119s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win7-20240220-en

Max time kernel

120s

Max time network

125s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-09 09:10

Reported

2024-05-10 05:01

Platform

win10v2004-20240508-en

Max time kernel

89s

Max time network

163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A