Malware Analysis Report

2024-12-08 03:02

Sample ID 240510-3kfh9sba49
Target f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7
SHA256 f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7
Tags
execution discovery privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7

Threat Level: Known bad

The file f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7 was found to be: Known bad.

Malicious Activity Summary

execution discovery privateloader

Privateloader family

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Unsigned PE

Command and Scripting Interpreter: PowerShell

Program crash

Enumerates physical storage devices

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 23:35

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win7-20240221-en

Max time kernel

134s

Max time network

137s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421546053" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000d06b2008479c47cea5649b30e078590a077e3640ccb47f0575956870d0d9a13c000000000e800000000200002000000009f747b7c57cecc363cca59c384e13555dd45f7268702ce2273580411e1f8e6820000000675234d6fa74429570f2e57d97fb34e5d9c1ca8ee75da3c542104fd512d2d75240000000ff5de1cc278aa520d431e38b505232f362ec4bcf12d453eece666e9e2e8b407422a3687dec0a212848aeea0355de379c714c9255e721032ad4c2f850d794a21e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E205CD1-0F26-11EF-8A7C-66DD11CD6629} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708c17f332a3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000002be3d44cde65e40d0a65534e690cfb91c741374b6ba0dfdbd45103d2a5c83ecd000000000e8000000002000020000000a1c198492518e975d400282fe29cef6d1deefc1ae6afb2bdd3ff91721bbe65e090000000490acb9c25e00c00fa9123bd2f76b0508a903b7e1126da70f55f1c0dc12b68ee06443819c305c94455bc520e7fae1def7cd35a4cad3306a9d25fe7f2c048224bc668d8b3d009f8fdeeb007e9c112e45427acb8ae95293a376c592a372945dea6be9f547c25991f58207f1314b51a754c335752bbb4eb0dd7e2fdbad0c8f3d93aacdf1a160c455c26841246d6ede06bc34000000006451eea4f2194a5599413c768abfa4f00f3f7849a44e462eefe5e50bcd10ae1c9270b5fdbe72b8efc813d1f4af2cc36086013c9bcc2c48223e711174232a0df C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3842.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af979a51bb2cdf484b3c911e7b7915b8
SHA1 3eca56e9bba31bdb05659d7b17c72292a0e9b685
SHA256 c15aa6b6c8e8891e366c22ed8b5fc7c4bf18a4e2bd0cd0fd426f7bbadf21598f
SHA512 d14a8d4663f49f478543db7a4b02509f3083960379cb166ada4d32b24345c03a5ae4dee06d982aafe39c6bab6822a62285957d704c790c7751aa67a2afc211d6

C:\Users\Admin\AppData\Local\Temp\Tar3915.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8d1a302d67270718e6df030e852669b
SHA1 22dc4509eb733c3557225705ac4400e9c1ad0436
SHA256 62bc556880b188688c4e1c0f0049c14d8a9b8c66dbd6a806e69ef736f625326b
SHA512 3c66d4d317ca575e65942b45ddef7a712649357909c34427ea6df8b41b8984362b634945b65b23e04c95b6cb144d6262940d1859a257b14b1eb55e1f6792e584

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 384639e9407458f8ee8d078b5aeff476
SHA1 3c537c5030d6d2564726d026d231462d1882c3cf
SHA256 666ec5aae61dcbbc42c3873cf144d81bd1e732465929adfc0aba1f80c4dbbb3e
SHA512 a3cc48b39f6a5f8073f083bb4aee2028eccb49bcd6aeb37e5b9ff8d97eb01f84d3c857e5da16e781f6a21c61182cecdf8e394db22b3550c684e101327c0af3b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74cdbc5524765521027631f8bf5865ff
SHA1 5c076b9ec6dc0f51c96ebcf16a774b09e787155b
SHA256 a04b0ba9f0a785e19ef99529c0166e4aee63e03b480840abb5b1121ecd908122
SHA512 7766e98ec49a6393e8b6f2022875f2e007b86a22276033dfec110843f113c53942c9c6e557bb8544c643004fd1ec99e853d0fbd9146c086f1ec10982fe317656

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c450486370331017c55a4ac35850c353
SHA1 f031df7b9cd818a79da7f27f0021324913513e23
SHA256 fe15e4c6a851e96a751c716b179d31d82f841c5dd76d1a861fa49142dfc089e0
SHA512 207153961c5ab05e1e10b6f8e9bb598cda245368a996e6e9b72c13a2375cc99e8037f49f604175c374c657323e2ccc6e77d9d55eeaa483a68190061338e28eb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b246cccffae61fc3d318204cace1aab4
SHA1 d8eb8a895742819ffaf37e4f34351f252ce99b48
SHA256 ce4e33dff2af33098a2a1a13fda58df1518b38890f0640c1ee3bab93b7963b2f
SHA512 c12e37dc8fa3454ec7d2809de09bb5e602473c48780283e995893164c26594e448ea01ed3c7f2865a1d91d5c9597d4253e4d09929519b97713ecfa56a1c13656

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1825b933b94f6ef20ab8a05f82ef46f
SHA1 5e9d5f292b5ca049593edb59db868b63af8a8f04
SHA256 87953e039c12bfc3c42676e4bd746ef15120e9b2ab8626bf38e7f66c6cc41025
SHA512 e9f7478e4a23ef30477cfb56d1a96cd401a655664357a1dfde67501368fe85ede3e74c86a4384df9346c1a9b0ed9e45f4b18a16f77de2579c787a940d400fb88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaf22ac198e16c81579ea91ffb101307
SHA1 314665c327bc14a242d403b06a7ea951d4cf0ad6
SHA256 1984ceee3f28aa736e88305e5daa631cde8e88ff42cfbf0c4a4b2769760665af
SHA512 9e9112566e63550aa88bd44ad301f0749b027a50220dbdb75deed3db3a6097ce5fbb8bd6130549c7f7c374a28472c8d65697937b3fd97a12c654024c02a77457

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a574f010470051e61af0ad57e7a7e62e
SHA1 7db8174c297faf4ff35dae9ca02264536a1c641d
SHA256 76587fea30e87f7889b9450ec177518c1573ccda42e42ad56635656a35bd5eaf
SHA512 dc8bb9917b7d14287aaaedbabf14bf8cc53296ca14e446769419cc78f80a7f3957fc63ee1d5545b33416b34248d3889aca053e28c5eaca04699f05d243840287

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3680698d352226e2a66a2dc53c25c8e3
SHA1 744b2cda8ed1ab88c91778d16b835bac81401188
SHA256 04d0e9daa44e416a374875189f13a16413a65b00dd9836ed5aef3bfe37d07621
SHA512 7bbd1cd91ab84e0b4d43cac2eb21c7375ab22b1fe48a03f9dd1e6a9e3342809112cecfbddad1b6dac43e407a495f5403d45ba147d1d4c41e9384561832ca0913

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bb5e8132140f6f6102ced26588dfdd0
SHA1 a42083ee492a3deb67697c9e2ecee8462396344f
SHA256 17475b8d39550bb3bdd378ee795d8741be5e6388082e53f09278c7f872ab1167
SHA512 25f94faa3919bf7922255d0f4098898f68cbb93374970a166c9afd7e37ae297fec52ddd7b277d2cada6485ee19fc2238c4420c4801b32b471bb6895e7b437ab5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51c328594f0a0468cf90e74bd85ad88f
SHA1 daaf1a79ba290a1c517b70c9c01c728182b621db
SHA256 b342ede5f452e3ff590c379377ac223bb985fc1cc8dcb777cd4f2cd38aedaedf
SHA512 e6dd2f893e85eb26f596d4b1415f2fb6c48524d57a2640f05289fd5c5dd16576b8b7da252c62a1e2b60268f8c5a85fbd83614e22cf12943fe05efa910b95b1c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca02f48920101d180f147b3dd35445f6
SHA1 0ffe00d3d922f151e97ec0ce118617e951e3783c
SHA256 cbc8878fccfe248bc9aff17266fe182786aa8c0e0a36f10a95ad954d065390e7
SHA512 90e3fb81756e79341928b80a74d9cdbe90148b7b0cd84577a32d0159657c376712bd60a53641b1e6cd136307c0b11eb27c94ab1c0631cad3508fae5e786865df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72023de95a5c6704ac81673d7480a368
SHA1 d61fc29e579925db2b6c229dd44f05fc13a82ecb
SHA256 f1b52bc7cc700e87b26dca068905a32b000a1c5d70b1d481e348daf9c68d8632
SHA512 97d88b18a78217cd9d00c790bb913f1f6e70870e32674422727b19f7a785272ef50d64a268d8281a763511af7fb54c17714341149cafe38e63b7179f7d3d3aec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 764ce7d9fcba9adc6cd3ebf593074235
SHA1 26a444e39a35472f404ad6421870e7914b56df7f
SHA256 5406631bcc45ee034b7db2db94f9d228f158228411e2f9d44a7d498f3b3f98c8
SHA512 695853ed569c800b6970ca59602def2127adc5c77dd0d9da0b88fc2424d9600fd2d1358ec9910d6fda2c00db5418311f167b6c4ab38348a876feecbb70d2ec1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0f38ee1d8b32bc677ac62e459fb11d1
SHA1 437053724686fee18d2281be96018b11fde9a900
SHA256 047de33ed96c0f93cd6dfcb1b1f1e1bee4cb3ae9a811f19be2d5c1eca597f2c8
SHA512 eb6b7cd7355e562909862cbeb2e762d40b61a6f6cff567de2fa99866d8e610a4ed5ee8a832e074c63226dc0b6eb696b47174751653191cae8bc1472ba9f4007f

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240508-en

Max time kernel

88s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

158s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\af.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\af.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4084-0-0x00007FF8B1F83000-0x00007FF8B1F85000-memory.dmp

memory/4084-6-0x000001D7A89F0000-0x000001D7A8A12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjn0irqe.cgz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4084-11-0x00007FF8B1F80000-0x00007FF8B2A41000-memory.dmp

memory/4084-12-0x00007FF8B1F80000-0x00007FF8B2A41000-memory.dmp

memory/4084-13-0x00007FF8B1F80000-0x00007FF8B2A41000-memory.dmp

memory/4084-16-0x00007FF8B1F80000-0x00007FF8B2A41000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20231129-en

Max time kernel

121s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\resources\dist\pages\cantLoad.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093935c775445a84fa873849a47fa3db9000000000200000000001066000000010000200000003f8f452e2821dfa383c51281a314a054ad8aaf7f8bb488fd5fbc1e3c9ae329e6000000000e8000000002000020000000b09c1143930b20c51030ce4620a96bedfa97d2c37b8e56afcf3f67927e6b612c90000000cbfb19e14ddbfa0c99c8281f2ec5d443bb7de0d4b9f7b95a5691cf16b700cfccc790604a578908440f67e9e7315ed8a6624f86b72e1b5c689211b21263e4c75b8586914c8635c6fa621635ad60083830c739d6705a72de5f31f5b5a998bc20152669042b56628eb1f5c1e3b23a609fe9658038c6582489624e71fac5ae3a88fed27568d8ada1b634151b12555bf2f4fe4000000090b8df22af32e22d5771c9c10c62e32105f69e9ba5e7916ae809ed46e17f4fab653d380dc34ec3e4e3511867fa05cf26b03456fe560c1192179f2e32435f60d7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d7b8ec32a3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{182013C1-0F26-11EF-BF0E-72CCAFC2F3F6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093935c775445a84fa873849a47fa3db900000000020000000000106600000001000020000000da3f04d786938d04b3b0829214f6c8f4e4f6f065375f42b268af86b87f298d6f000000000e8000000002000020000000188c3d04f6141f952c36051822efc253f87ed2097c9a43391930911f761f989720000000b576b651b8aba03c32cdc78aba7fac6b15f728cd1db229ccce2baa83846f982d400000004f7e678be223e77d5f45b53c22e1c2355b9a60d1751fcc7fe5fbd88d1fb04b7a6e0b0430cd09a46b2abe0952a2b6cc04e4888fabb2cdd43d03361cc2e75a112a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421546043" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\resources\dist\pages\cantLoad.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.155:80 www.bing.com tcp
NL 23.62.61.155:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar4BD5.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 450f5617b586bb1fb4f545b4f4431149
SHA1 a0c092fdccbdcdba7d1257d90deed6e3b352ffa9
SHA256 2a2f2f199659b390519a8ab224441b7004c67f4fe63f1fd77c0fd46531236a00
SHA512 db0946d767e56a4fafc5dd990ec4f1f7aea1350ccca4c6c809a13ed162a59641ac3a865a590bb63ec9fc6e45cf7d8f782e41b94db5063db528c2605fa8b44ca6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 76144f286cf180cd731c6db637f691fe
SHA1 c7c929e8ff99442860ce8339ce827c9af817c7c5
SHA256 3335ea9ad8a9317a851481fc126e7e535daf1b56d110e25f2382a8d1ec41acc8
SHA512 26136247b51ef7b4c8504885ec47ec1237b26223cd5442d8664a2de7e4319b825a521a4b116b9171336b714b63cae9b88af3062459a778f97521f39068f11401

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 300ef5baf82eb73817d038c904e70d01
SHA1 25b6625f76177b3338678891fa9d67c2d0e54cd9
SHA256 1826207ea102655ca12245d044d2aab663227b57473f65b898278dadd9cc314e
SHA512 ff72ebfdf3578a96c90babcb8e246b3d5a161002135ab44d43c055465539c28faaca2b052ffdb0215972f4621e2dc59440de89166c360f6b443ecd0e9e26a17a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a9f7eb0b46423f5b62bf09996780d0e
SHA1 cfa5bbe6e842777664534f261e4a5271bd82ce99
SHA256 26b13a8fc6145475091b582441cb1d10e5896ce0af860bb716c07de3b8806c0e
SHA512 935ba08a6c0409c9c7a69240eafd896c6d0a4bb99af106c47de5439535e15d6243a3a1059d2ad2d6146c0cad0298346b0e98805f338e99950b4550adef5224a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a5069d690b0914bac00581d0acebd48
SHA1 5159c5cd5de62d7447b450c3762b6a69463f15d3
SHA256 36831c17e10901d949997cd9a41135b5c006680f9c3bdc5d798f735e86e316fb
SHA512 0cb7e5849be9e366ccf56cb5d4c964cbfe7b2bac88a4358685434a150385687f92e359767496c16e6d790012ad2d301d01ec1709ad7ba9e9baef4de6d7105eaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b73ec6d7ef2ac832e2ca054dc529b32d
SHA1 db4469eff70c547879253654e6ce053ed95c3e06
SHA256 9af7cbdd68e90dc560fe2678514b120677353dbf132e2579826afcab4ab815fd
SHA512 f3192bde9574be926d342106f60f999e35d79a997fe6f5560d9912f9d88bcfba4bb93b69e9609819ff914f2c98a1c2e0cd87641c0a4358210fade90dea9265d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5f5fc924bc1df5b3ab6095171087822
SHA1 b11d54053bec1020bd31518a540eec26c0c4fbe5
SHA256 d6a370dfb877873dd6995dc1a3ca4ec1d1887ff1c8cc9b5ddbbf5e0c8e45c938
SHA512 c07e28c28e1f3876e9f43f833276b6cbf4a942b8bc09856e287e5dc7541efe456247c534bbb707c635522d3ec0c9d9a6dd623e4b2f6810a466d53e526b8ec337

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 9a44fda37b9d5d9549f46a50be7b788d
SHA1 6bde84e4bc29a0e34dd97bd5d6f49c93539839ee
SHA256 aa7a75e6c979a1248bbe1fc6f6509977e6d3d21cfe0b54327f11de340ab1457a
SHA512 3570377fb755c9dc59f7189bdd2ac5e98fb34d940bba9a7919e47325d5cd90b355539fc45dab109e02cb5023687fbbc6a11daaa178f6fea40dc7190aa1fa3f27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8db2183987819ca83969ef1e9d5983e
SHA1 7a8b89165e818c98f1520c1b0e3a8d9cc97546c5
SHA256 9eca002dcf028c4dc793217bdc7678a7d4b1c8139b8fee91aaa7255de11e01e3
SHA512 9bf6f1b3014f3f1e1a19bca953510353d0e797de4412768acbc1be4b58f7563e651b45b4d381ddb4a51d4f1c399306472018ee45046acd2fd659c4e36bb7d9fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56f88bb4a06954f1c09ab52c03ee0086
SHA1 1527b6f95c23e52fb568474d166ab0381c13879b
SHA256 f1e3b97ec875898b46d32232cc847a87eb719c1e62e83af32a5f13ab0981f91c
SHA512 59957502261e5f2753883aea4a28ed79a0c20df2d4b03756f71c81ac3eddb730df6f01bf37049af0c061aa70bab18b8f0ec0e7241e2d1ea4445f996c979607a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdc977b7dd1a04e0931367ffaef51943
SHA1 004b7a87db52375248aef68e6f4b04626062414f
SHA256 bb43b38f02803f7d6d874092cfea7f817a8586a1d7e9fcfab1680bcbefcfa636
SHA512 5c975c3fc49051a7ccde62a94dd1e8ef5712c895548579f49318560a8aa609736f5a7ec4412cc658e29b39d179851a36f350a385ade384b98c0d70e478c6267a

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0440069e4a8b5ea256e2f08085c1c4d
SHA1 4eeda5f4ffc5b7e05a5464473111fbc3c324cfc7
SHA256 4dce108c8ac611b6870fc57c62cdc6ba1ff6db64b4475def28111ef8bceddddb
SHA512 21d1d8776d1ce9f30e9eea37c176e0cb466a5dc54b6019ccb057f2f6353c8a665497b8a7ae9f48b37293e0420ef53bece40ee0e0cab27bca1d9c2c8d4c030fb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02cd5ea9724ce2d3687723da9a6ba223
SHA1 644c922e5687e09386d482f851c97ba952808b41
SHA256 84018f6b79513c86fc4d6b032ca3aece859b4f93110cbe22c462aeca89d2d57b
SHA512 cc0548b5e7ca71121a4555bbfb1589d53d622a8a9b6b131df249ae09768a46ca526f3dfa7aced4abaa6ee3e2866d0b9240fa490600f9de05294d903e7f97ba65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 257ad37f5fba6754da431c09de5ed790
SHA1 945a5de317794506d0e9a7b59f1eef8d9ab6cc02
SHA256 dbba9354f9a4b7a88d60a0963fdedc6840ceb262807839714198fdfb38db3f1d
SHA512 3db9c0978875c15250824cfc7026dff934a8c6ac27a9b4cca6f42c029c12c4bf444b7ac2b656ef9819595fcdd0151e737cf0f50c1e80bc30920c8ffc600dbad8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a7a70bc857893033fdc7471d11326d7
SHA1 9c406a4993b47976392fe06b28dc79c3da2e46b2
SHA256 d70040ba1e21eb56d93e72d26053ccfb1efe7a387f1bf9d12ef0c7a46582f441
SHA512 b5627225f19401c8c50bf9e375b29abf34c686adeaa87e000368d18bf87594c3d6fb4c90f5854925ee724281d7a426ff05e9768d0c476c8a7807d4fc86cc7bc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cf0303548c8b13bfdb6c1f4b66ee87c
SHA1 e3c822d26faf634b9d393abc231845fea80e3745
SHA256 ddc8dad30e476b96736f8bc8dc6fb53830fa6b149cb9726b3674e382c6b7b02a
SHA512 f15d2572a2bb9b39744d27086b57f529ff6547cac54ec7d1ae197571aae370721ab451fe1106b90dd38708d0317e1a6ef58dd6367e036bc5aa2c7f90e4665e5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 265eab77349adeb4f46550d5d2f2320d
SHA1 7ee7b119fd5bc990a328f2c61b0d3c7cab1ca80b
SHA256 775b9fecfd5a8e00369ca54c7b3a1d1bee2209260176d22b06f6d576d891f803
SHA512 d4cbf14fbcc0a051ee08238b2988c53e717a476ac58a9805b528fc6f422659f833079bab9e36bbea390d3c9339bf2f56449f587f7f399ab626561b5ed9b1717a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0269c5da0daab297d525ff24c8d1fabf
SHA1 c5836b7467387b3acdcfda8154517852ed93a9d9
SHA256 c042f1a3f15da0b6d555e40c53b85aa54dc9c9f459573ed3ed9c7dfc353b5c47
SHA512 9832a502a41cfa7a1e8584e4afa2e41ad30f64f4e3a6a09d9d7a584b51dd6b6b3f37ba9e534868c49b914ec9ac35647081e1605b2081fe46f4ffe36d71115b1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbe41355b58d29fddc736a63968bc527
SHA1 8b772e27689fb3b4fa4dcaa3bae174aff5fa38cd
SHA256 45ee34f4f6abaea5359fa21ff14db53ae795fbca8736ed58dbcc5cd2f3953f29
SHA512 48878d7d3f5057702d581c13cda00f46204e672e47ca7b328c959fd10a55e32a15cc49ef6d0b434a163e7b6dcef8c72d4e74fe9a6960cd0a6f79e2ab5256cc87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c2b64cd46b84fe89f3a20873d88d0c0
SHA1 a1ef7dbb524cb2309e4f92e2e9b6fe9218f5a8fb
SHA256 5c26f4aa9f56a73216551015cdebee824a2a00d000692347ca3e08a57140d40d
SHA512 e3506485c185e60fd68c260a0dbc52334edbdb83358c691e90f5a6144ed0ba7ef1290717526308ce4d23759e3cfedad4b50f83af700c45cb72098575e82c789e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0aaf862e54b29b7d121452efa2390466
SHA1 5e57923d2cc57b09ce238189dd3eac83f5ac6e28
SHA256 7f33479995f8865640804f78e095b424e2bb1b9b08a0a714f0e145ca5d7af0a3
SHA512 0b652ba790664dc9d75b01d37105d8af937f9099c62f26ad73686c9e493458e97f32e9ad50e698e447d1118f977efa7ef41880bc15c9c173b29596c4ceaab10e

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2512 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2512 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2512 -s 80

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240508-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Bearly\\Bearly.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\URL Protocol C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\ = "URL:bearly" C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\shell\open\command C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\shell C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\shell\open C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1372 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1372 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1372 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1372 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1372 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 620 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Windows\system32\reg.exe
PID 620 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Windows\system32\reg.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
PID 620 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe

"C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Bearly.exe" | %SYSTEMROOT%\System32\find.exe "Bearly.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Bearly.exe"

C:\Windows\SysWOW64\find.exe

C:\Windows\System32\find.exe "Bearly.exe"

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe"

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Bearly /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Bearly\Crashpad --url=https://f.a.k/e --annotation=_productName=Bearly --annotation=_version=3.0.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=24.4.0 --initial-client-data=0x47c,0x484,0x488,0x458,0x48c,0x7ff779e1dc70,0x7ff779e1dc80,0x7ff779e1dc90

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1820 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\Bearly\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2384 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bearly

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\Bearly\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3636 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\Bearly\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3664 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3392 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 bearly.ai udp
US 8.8.8.8:53 bearly.ai udp
GB 20.26.156.215:443 github.com tcp
US 104.26.10.184:443 bearly.ai tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 184.10.26.104.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
US 8.8.8.8:53 o4504114762612736.ingest.sentry.io udp
US 8.8.8.8:53 o4504114762612736.ingest.sentry.io udp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 js.stripe.com udp
US 34.120.195.249:443 o4504114762612736.ingest.sentry.io tcp
US 151.101.0.176:443 js.stripe.com tcp
US 34.120.195.249:443 o4504114762612736.ingest.sentry.io udp
US 34.120.195.249:443 o4504114762612736.ingest.sentry.io tcp
US 8.8.8.8:53 exec.bearly.ai udp
US 8.8.8.8:53 exec.bearly.ai udp
US 104.26.11.184:443 exec.bearly.ai tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 176.0.101.151.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 151.101.0.176:443 js.stripe.com tcp
US 8.8.8.8:443 dns.google udp
US 34.214.238.153:443 tcp
US 8.8.8.8:53 184.11.26.104.in-addr.arpa udp
US 52.33.51.5:443 tcp
US 8.8.8.8:53 153.238.214.34.in-addr.arpa udp
US 54.187.159.182:443 tcp
US 54.187.159.182:443 tcp
US 8.8.8.8:53 5.51.33.52.in-addr.arpa udp
US 8.8.8.8:53 182.159.187.54.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\chrome_100_percent.pak

MD5 acd0fa0a90b43cd1c87a55a991b4fac3
SHA1 17b84e8d24da12501105b87452f86bfa5f9b1b3c
SHA256 ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b
SHA512 3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\chrome_200_percent.pak

MD5 4610337e3332b7e65b73a6ea738b47df
SHA1 8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b
SHA256 c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c
SHA512 039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\libEGL.dll

MD5 6426112edaa62ca308f7f32d26d4f6ad
SHA1 3edfd900da6a5fb1c67c41e18ea0ec9a2752ba2e
SHA256 a23882d8555d8c3f1d27ba39b0225d68bc446e250d19d36aff4ef65d221458a3
SHA512 f967dea3f18ab81c8ca72b722962944b9a874cfda4c95237e96b1e989ff3657a087957c1ff2c374616ed2e49a75f2786174ff8972a3447589468dfafaf4db582

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\libGLESv2.dll

MD5 b7214621f818dfe440ade5b2f3619519
SHA1 4b95d412e49f2e4c3ce71e10b2d76df3ab63547c
SHA256 59133f095f941eb8d6b3613fd08b98e6d84e8290f3f72ded6d98c8683582f188
SHA512 d8195862a8d6ca8de5aa4096ce1feabda3f8375279904124e80451ef22d1ae13e4de35487afe36996d0b51edc16c48ddda03c5c2b14f4bd5e465ed48e9e3d29b

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\icudtl.dat

MD5 2134e5dbc46fb1c46eac0fe1af710ec3
SHA1 dbecf2d193ae575aba4217194d4136bd9291d4db
SHA256 ee3c8883effd90edfb0ff5b758c560cbca25d1598fcb55b80ef67e990dd19d41
SHA512 b9b50614d9baebf6378e5164d70be7fe7ef3051cfff38733fe3c7448c5de292754bbbb8da833e26115a185945be419be8dd1030fc230ed69f388479853bc0fcb

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\ffmpeg.dll

MD5 d8cd1aca8dd3a91d0bf32da2e746545e
SHA1 6a28b357d93fbb3502bc386019899c9f3633b069
SHA256 5b831daa8515b3d1f346b481ec04f881a3fe728944e966624489d3a3872a40bf
SHA512 af70b88194539cdebf353df0927671babbd51f3cdb304cf31dc5c29d65dea1e38136d7389ba48aa0829855d62eeb740f3df12ab981153c7f2eb70ed1e74fbcbb

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\LICENSES.chromium.html

MD5 312446edf757f7e92aad311f625cef2a
SHA1 91102d30d5abcfa7b6ec732e3682fb9c77279ba3
SHA256 c2656201ac86438d062673771e33e44d6d5e97670c3160e0de1cb0bd5fbbae9b
SHA512 dce01f2448a49a0e6f08bbde6570f76a87dcc81179bb51d5e2642ad033ee81ae3996800363826a65485ab79085572bbace51409ae7102ed1a12df65018676333

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources.pak

MD5 a8502a5d32543474520dd8cf1a871b60
SHA1 4b2b4e61a8105dd9583c12e9adfd307c113907c8
SHA256 b6420c40d7d9b4971f6c99a3fd108e10c7e4e6bb95fa655a5a1b00ff2bab36dd
SHA512 c73e578d9b8a990ad11c218c096fc8d8a5d283a3fee4388ef40b4140e14504498f3e376b4b86d0d789dd9cd1dc8957d749a86f59cdf199f85daa28490c129658

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\v8_context_snapshot.bin

MD5 5a072b0edc88a0b18e1c56a307a341cd
SHA1 20ee0b6521e12dfc4f378eb8d5724456e22e90fd
SHA256 878046ea578d24595d060583cf8f9618aba37d23c603499068e5762dd5509aa1
SHA512 c3a51850d939eea9b5d8926795cdc3e56962ec9eeabb3b80ed62a9c77ae5d6b696528d03a469c212b99d83ec303367f3353cc0fff459e7e577254f037f8fd995

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\snapshot_blob.bin

MD5 840169fda65be2a18c85e7dd44ec6051
SHA1 5080736e613be6e11242d37adef740cac0bf8cd1
SHA256 80e58621229b4cb6104ce7f65ebce979a6ebe3eac750447d037660cec34ad0b3
SHA512 2e65ac47ff05830eb0942288daf66468fbd34a1fbc1010f0bcdaca873f4d110ae8f88e825dec7e86dcd7b11dee7a003c29350e3377abd9f886b028cdbb830644

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\vk_swiftshader.dll

MD5 3eb74d173ef00f7c510b11e61c5ab52f
SHA1 13cfe224f966145d7f90640b080bef5dd4d0ff42
SHA256 0749491928a69673f17d39eb674f9a416e789e4fddec48ebb54714914343b48a
SHA512 423ab3765aa01cf39fa31d068ddb761ad93707cb06f57b4e674311c91c5cc9d238c231d1e6882f8d3525d16fea0d8f8db8d0a74bb55309f5a120cbe4a34e40bd

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\vulkan-1.dll

MD5 8439213fbb22a848ce814982d502bdc4
SHA1 6c5831de36a539c0689410b00f1b8aa1dc6f7c2d
SHA256 e69f794109b12523de314a471c56278cd921be58facbd18ec351685d15894cc0
SHA512 e4e570e5b98420d99634167e0d9f920cba27fc4b8e91c70cc4e5b33a4b3299a69ce9b294aae538aeb150135378978a6c7b0644a645b797ab230e185593c828c0

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ar.pak

MD5 56f6dc44cc50fc98314d0f88fcc2a962
SHA1 b1740b05c66622b900e19e9f71e0ff1f3488a98e
SHA256 7018884d3c60a9c9d727b21545c7dbbcc7b57fa93a16fa97deca0d35891e3465
SHA512 594e38739af7351a6117b0659b15f4358bd363d42ffc19e9f5035b57e05e879170bbafe51aece62c13f2ae17c84efb2aed2fc19d2eb9dcb95ebd34211d61674e

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\am.pak

MD5 c6ef9c40b48a069b70ed3335b52a9a9c
SHA1 d4a5fb05c4b493ecbb6fc80689b955c30c5cbbb4
SHA256 73a1034be12abda7401eb601819657cd7addf011bfd9ce39f115a442bccba995
SHA512 33c18b698040cd77162eb05658eca82a08994455865b70d1c08819dfac68f6db6b27d7e818260caa25310ff71cf128239a52c948fde098e75d1a319f478a9854

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\af.pak

MD5 7e51349edc7e6aed122bfa00970fab80
SHA1 eb6df68501ecce2090e1af5837b5f15ac3a775eb
SHA256 f528e698b164283872f76df2233a47d7d41e1aba980ce39f6b078e577fd14c97
SHA512 69da19053eb95eef7ab2a2d3f52ca765777bdf976e5862e8cebbaa1d1ce84a7743f50695a3e82a296b2f610475abb256844b6b9eb7a23a60b4a9fc4eae40346d

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ca.pak

MD5 01acd6f7a4ea85d8e63099ce1262fbad
SHA1 f654870d442938385b99444c2cacd4d6b60d2a0d
SHA256 b48d1bad676f2e718cbe548302127e0b3567913a2835522d6dd90279a6d2a56a
SHA512 2bd13eca1a85c219e24a9deb5b767faa5dc7e6b3005d4eb772e3794233ed49cb94c4492538d18acc98658c01d941e35c6f213c18ac5480da151c7545eedeb4ab

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\bn.pak

MD5 8feb4092426a0c2c167c0674114b014d
SHA1 6fc9a1076723bfaf5301d8816543a05a82ad654d
SHA256 fb0656a687555801edfb9442b9f3e7f2b009be1126f901cf4da82d67ac4ad954
SHA512 3de40bdd18e9e7d3f2eceebf7c089e2250ce4d40412a18d718facba8f045e68b996978ef8b4d047b21d3424094056d16b5abb81bd0507f446b805d6b889522a7

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\bg.pak

MD5 945de8a62865092b8100e93ea3e9828d
SHA1 18d4c83510455ce12a6ac85f9f33af46b0557e2e
SHA256 f0e39893a39ce6133c1b993f1792207830b8670a6eb3185b7e5826d50fea7ba2
SHA512 5f61160ff64b9490a1ad5517d8c1bb81af77d349541fed5045e7f6e5053b7d79b7e8f114630bfbe4d5af30258f70a6569462bfa39ccb765f8ca191f82ee04f3f

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\cs.pak

MD5 a934431d469d19a274243f88bb5ac6fb
SHA1 146845edc7442bf8641bc8b6c1a7e2c021fb01eb
SHA256 51c36a5acdad5930d8d4f1285315e66b2578f27534d37cd40f0625ee99852c51
SHA512 562f07151e5392cbffb6b643c097a08045e9550e56712975d453a2ebaee0745fbfba99d69867eec560d1d58b58dff4f6035811b9d4f0b1b87547efa98f94d55d

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\da.pak

MD5 bb5252dc6f0f3c01ce3638138bf946c8
SHA1 bfb584b67c8ca51d94bff40809410553d54da1cf
SHA256 c93f39d0ab9a2fab26977aa729261633225879ba6dc5ea8d0ca89814b2df9fa9
SHA512 e411fd3cc5285a6059c3fd80c3421253a4ce06b2d0cd1cd1efc25e88191a58fed176452d852922137268be2824e1e162cd4d4a6f8c695a50517a783d15b1c6e7

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\de.pak

MD5 ed329b35d10e81f55d611fe8748876f8
SHA1 0d998732bb4c4d1faad5a5bc0a21d6c5672418d3
SHA256 6facd562add58c4684ef4a40de9b63581fea71c5b83049ed8a2c2a2c929c45ce
SHA512 bd713ff78e375fec3a04ab0c9476c0379f87efc6d18359c2a4d297303d78381081120c371848c8675f1f16dd4ab7284d81e5bfc9ae11ab33e12f96c12d89e764

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\el.pak

MD5 6922aaa87431699787c1489e89af17b9
SHA1 6fb7771c9271ca2eeebe025a171bfa62db3527f7
SHA256 800545f9134914649da91b90e7df65d8208014c3e12f2be551dfd6722bf84719
SHA512 367ef8467631e17e0a71d682f5792a499e8578b6c22af93d9a919d9e78709ec2501df9599624f013b43f4c3e9fb825182193116dbead01874995d322b7a6e4d6

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\en-GB.pak

MD5 0db7f3a3ba228aa7f2457db1aa58d002
SHA1 bbf3469caadfa3d2469dd7e0809352ef21a7476d
SHA256 cf5aca381c888de8aa6bbd1dcd609e389833cb5af3f4e8af5281ffd70cd65d98
SHA512 9c46c8d12579bd8c0be230bbcdb31bdb537d2fea38000cf700547ca59e3139c18cc7cb3e74053475605132404c4c4591f651d2dad2ce7f413ccffd6acf7139e8

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\en-US.pak

MD5 5e3813e616a101e4a169b05f40879a62
SHA1 615e4d94f69625dda81dfaec7f14e9ee320a2884
SHA256 4d207c5c202c19c4daca3fddb2ae4f747f943a8faf86a947eef580e2f2aee687
SHA512 764a271a9cfb674cce41ee7aed0ad75f640ce869efd3c865d1b2d046c9638f4e8d9863a386eba098f5dcedd20ea98bad8bca158b68eb4bdd606d683f31227594

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\gu.pak

MD5 7b5f52f72d3a93f76337d5cf3168ebd1
SHA1 00d444b5a7f73f566e98abadf867e6bb27433091
SHA256 798ea5d88a57d1d78fa518bf35c5098cbeb1453d2cb02ef98cd26cf85d927707
SHA512 10c6f4faab8ccb930228c1d9302472d0752be19af068ec5917249675b40f22ab24c3e29ec3264062826113b966c401046cff70d91e7e05d8aadcc0b4e07fec9b

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\hr.pak

MD5 105472bc766a30bb71f13d86081de68d
SHA1 d014103ad930889239efd92ecfdfcc669312af6c
SHA256 a3a853a049735c7d474191dff19550a15503ecd20bafe44938eb12ea60e50b7c
SHA512 ee7479d459eff8ec59206c2269df4e9fc1ca143e9b94a908eb8a5a1e16180bcc88f0b24d73c387f5853ea0418e737641f23146676232c1a3ac794611f7880f11

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ml.pak

MD5 3b1305ecca60fb5a7b3224a70398ead9
SHA1 04e28fce93fc57360e9830e2f482028ffc58a0a2
SHA256 c10942f5333f0d710de4d3def7aa410c4576ffe476b3ea84aac736bfb9c40d67
SHA512 68fdd944a153c16d18e73dd2aa75593f6ac13b8e87dbfb5bfccdd982a4f885bd9903c3ed1af781581cd3c5d42dd2ff21cc780f54fd71ab04a3237d08ed5a1554

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\lv.pak

MD5 e4f7d9e385cb525e762ece1aa243e818
SHA1 689d784379bac189742b74cd8700c687feeeded1
SHA256 523d141e59095da71a41c14aec8fe9ee667ae4b868e0477a46dd18a80b2007ef
SHA512 e4796134048cd12056d746f6b8f76d9ea743c61fee5993167f607959f11fd3b496429c3e61ed5464551fd1931de4878ab06f23a3788ee34bb56f53db25bcb6df

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\lt.pak

MD5 96602a3f3b59faa997a4d337889fa02b
SHA1 94593a270b0d84c006e0959bc136b6c4987dfd3f
SHA256 51db5311de9dff41fb4eadda8ba7d5e492912f72c3754adaf8e3de23aba46f8a
SHA512 dd45240494d09ad9a41be9d4056ed274e78a50dc85e6bff9438e707a84f65b77ebe522531370da99e50a6887d6063c29e9728b49df2b2b3c61362d774797fac2

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ko.pak

MD5 b83bc27c5bc2bb4d0ff7934db87e12ad
SHA1 050f004e82f46053b6566300c9a7b1a6a6e84209
SHA256 ab3060e7d16de4d1536ff6dd4f82939a73388201ad7e2be15f3afee6a5aae0ef
SHA512 b56b211587fe93a254198ca617cdecd8dc01e4561151a53173721665111c4d2440535f5f6b8a5a69a31840ea60124f4afd2c693d1fc4683fa2cf237c8ede5f0a

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\kn.pak

MD5 a603f3d899ccdcd9af20dcd8f87d0ed8
SHA1 f476355d6ea5c05b35ad74c08e2edfe5ff2881ad
SHA256 3c11a589aab0c5d9e5c18e6a95dce7e613089d3598b8fe54e656a8d97e22a6fd
SHA512 f6b008080cae44d680faaab02911f62e21d042c55fc5af87e719e9bc4102b282e58e67f19f37f60fe8ba99f5b8cfd4e70a61af9918a9ee8e3d8ae72555d31c15

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ja.pak

MD5 f47efaa76f5200a6c0c23c33684d7bad
SHA1 9b24f6491a1171d3dfeae329e1f45ab3e3d9cf22
SHA256 5b99d6a11d7b653681b2a2bb616cc1814451ad35c370d178b2ef6650465d4f2a
SHA512 67d130a66f03a4d1a0a30576b19fe44fa707cba764c6dcd355cbe891a2bcc0b25823ba2106e9271e06ada674f66824a5323b77d4984900516d2a8802af87960e

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\it.pak

MD5 7c981a25be0e02fba150e17d9669a536
SHA1 3af10feb7cdc7bc091b80173301b1a3d4ef941d4
SHA256 ee2d2643ad7a8f97b7a6c070910866436cae0267a6691a3d8a88ed0948d8af49
SHA512 445eecfa83e7635bc3442937bdf3b9c4a38ef3fbb7f07ca90a1d4222e1a29639f3fdce12b20e798888823f2d612e5972492b3786d37b256aec5c1c96cdb96b28

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\id.pak

MD5 bd9636e9c7dc7be4c7f53fb0b886be04
SHA1 55421d0e8efcbef8c3b72e00a623fb65d33c953e
SHA256 5761ee7da9ca163e86e2023829d377a48af6f59c27f07e820731192051343f40
SHA512 7c7e88ffd2b748e93122585b95850ded580e1136db39386ced9f4db0090e71394a1f9ceb937262c95969132c26bf6ce1684fbb97b6469ed10414171a2e8cc3a4

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\hi.pak

MD5 b7e4892b2030e4f916364856b6cc470a
SHA1 b08ad51e98e3b6949f61f0b9251f7281818cd23e
SHA256 093119a99f008ab15d0e5b34cd16ec6b4313554e6c3cffe44502bfce51470e3e
SHA512 ca453025d73228592a4bfe747a3ea08b86327f733032a64ced0fc0c9e2e00b02450f133e691b94be13a3e69e22b43bca512e5f77b0e490320f0bf8e65571bb46

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\he.pak

MD5 93d9261f91bcd80d7f33f87bad35dda4
SHA1 a498434fd2339c5d6465a28d8babb80607db1b65
SHA256 31661709ab05e2c392a7faeed5e863b718f6a5713d0d4bbdab28bc5fb6565458
SHA512 f213ff20e45f260174caa21eae5a58e73777cd94e4d929326deefbef01759d0200b2a14f427be1bb270dfcd2c6fb2fce789e60f668ac89ecf1849d7575302725

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\fr.pak

MD5 0445700799de14382201f2b8b840c639
SHA1 b2d2a03a981e6ff5b45bb29a594739b836f5518d
SHA256 9a57603f33cc1be68973bdd2022b00d9d547727d2d4dc15e91cc05ebc7730965
SHA512 423f941ec35126a2015c5bb3bf963c8b4c71be5edfb6fc9765764409a562e028c91c952da9be8f250b25c82e8facec5cada6a4ae1495479d6b6342a0af9dda5f

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\fil.pak

MD5 3165351c55e3408eaa7b661fa9dc8924
SHA1 181bee2a96d2f43d740b865f7e39a1ba06e2ca2b
SHA256 2630a9d5912c8ef023154c6a6fb5c56faf610e1e960af66abef533af19b90caa
SHA512 3b1944ea3cfcbe98d4ce390ea3a8ff1f6730eb8054e282869308efe91a9ddcd118290568c1fc83bd80e8951c4e70a451e984c27b400f2bde8053ea25b9620655

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\fi.pak

MD5 5518b51d4af7f1b9d686cbea28b69e71
SHA1 df7f70846f059826c792a831e32247b2294c8e52
SHA256 8ff1b08727c884d6b7b6c8b0a0b176706109ae7fe06323895e35325742fe5bd1
SHA512 b573050585c5e89a65fc45000f48a0f6aabccd2937f33a0b3fcbd8a8c817beaa2158f62a83c2cae6fcfb655f4a4f9a0c2f6505b41a90bc9d8ede74141ebc3266

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\fa.pak

MD5 dcd3b982a52cdf8510a54830f270e391
SHA1 3e0802460950512b98cd124ff9f1f53827e3437e
SHA256 e70dfa2d5f61afe202778a3faf5ed92b8d162c62525db79d4ec82003d8773fa3
SHA512 3d5b7fa1a685fa623ec7183c393e50007912872e22ca37fdc094badaefddeac018cc043640814a4df21bb429741dd295aa8719686461afa362e130b8e1441a12

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\et.pak

MD5 a94e1775f91ea8622f82ae5ab5ba6765
SHA1 ff17accdd83ac7fcc630e9141e9114da7de16fdb
SHA256 1606b94aef97047863481928624214b7e0ec2f1e34ec48a117965b928e009163
SHA512 a2575d2bd50494310e8ef9c77d6c1749420dfbe17a91d724984df025c47601976af7d971ecae988c99723d53f240e1a6b3b7650a17f3b845e3daeefaaf9fe9b9

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\es.pak

MD5 e9fa4cada447b507878a568f82266353
SHA1 4a38f9d11e12376e4d13e1ee8c4e0d082d545701
SHA256 186c596d8555f8db77b3495b7ad6b7af616185ca6c74e5dfb6c39f368e3a12a4
SHA512 1e8f97ff3daad3d70c992f332d007f3ddb16206e2ff4cffd3f2c5099da92a7ad6fb122b48796f5758fe334d9fbf0bbae5c552414debbb60fe5854aaa922e206e

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\es-419.pak

MD5 5321c1e88c5c6fa20bdbc16043c6d0f6
SHA1 07b35ed8f22edc77e543f28d36c5e4789e7723f4
SHA256 f7caa691599c852afb6c2d7b8921e6165418cc4b20d4211a92f69c877da54592
SHA512 121b3547a8af9e7360774c1bd6850755b849e3f2e2e10287c612cf88fb096eb4cf4ee56b428ba67aeb185f0cb08d34d4fa987c4b0797436eea53f64358d2b989

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\hu.pak

MD5 b338dcb0e672fb7b2910ce2f561a8e38
SHA1 cf18c82ec89f52753f7258cdb01203fbc49bed99
SHA256 bcdf39aa7004984cb6c13aac655b2e43efeb387ce7d61964b063d6cf37773f7a
SHA512 f95f6a8e36d99680fb3cdb439f09439782bcc325923ec54bdc4aeb8ec85cf31a3a2216e40e2b06c73a2f5e7439d8178d8becac72781a6d79808067e8ccf3cac6

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\pt-PT.pak

MD5 acffa29064f40a014bc7fe13e5ff58a9
SHA1 5a0890c94084075446264469818753f699a3d154
SHA256 423e7ccb22d32276320ed72f07186188e095c577db5bce7309c8bd589a2a8858
SHA512 d4572c81fdd3b7b69d77544f68b23ae0b546158033be503dbaab736d3ca1188b18916688234fae9ea29fa430258b2d2b95a93d0e8b74919a62040b84902d3b6e

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sl.pak

MD5 4d9d56ef0b176e7f7aa14270e964ec77
SHA1 515aac37e4f25ca50bd52ea73889b70b1e79863d
SHA256 6ba684a8f06f7eb175955b15d30c7162d92c7e7c48864dfb853238263e1be8c7
SHA512 740adbb7d8b039f98e187f45a1a87d0354136fb48b75262e508f720bfcbeb2746f04d31a57dccd50e37ddb5a1b7c0ad79a01cac6ba5fb98a9af272ad99fcb169

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sk.pak

MD5 793c442420f27d54410cdb8d8ecce5ff
SHA1 8995e9e29dbaaa737777e9c9449b67ca4c5b4066
SHA256 5a9d6b77ca43c8ed344416d854c2d945d8613e6c7936445d6fe35e410c7190bb
SHA512 291e3d2300c973966d85e15a1b270ba05c83696271a7c7d4063b91097a942590c9797a4d22dfbe154564b779dac92fd12db0d5b63f5f0406f818b956b126e7e9

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ru.pak

MD5 fc0e2fc09aa9089c5db75bab7a0754a7
SHA1 f3d1e3e1600ae188e801a81b6d233db9903b82df
SHA256 188b6405cb6c5b7c0b35050278a119c3ce41fb90883b9adb39fec15da0a05550
SHA512 377e685d1d171d0a7158b56f356ca33d4493d07efa58d3c384e272e1b6829933552c69aff95215ae7d1a0f99616a20790708f5187ea10cfe46baa2bb522fc18f

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ro.pak

MD5 19cfc7c8f1a2e4a2de1f9f64475469bc
SHA1 bf6c4f373c19b03e116d2593c64e1ceca47d79dc
SHA256 3e725f7a791aed1fbed57f075ca11ce389a5bd425ccce3c00537dad27e5a8dd6
SHA512 ff5254e3a3676b8f5e74cba6661ae43d5739c7363c66cb17f74dce158dc36cee103885f055846dd320b932f2e7fbdc831bcee6293d423ff9b842b68644f633bd

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\pt-BR.pak

MD5 a23c805ee4d3d67c811b50826ca25a51
SHA1 c14fa8b9c7073fe88e188cfa4b34883faccc2c09
SHA256 62be4fb0bd3b8be563516bfea3f0848924bb7afb0c563d02c1508608a4487e3b
SHA512 c478bd2234eef73aa08085d29b916ad1471576ff213f972c9616757172d0cdec6e5d6797a1f2635ac17a0bac34964a298e4ab4336479456ce10330128cd68a53

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\pl.pak

MD5 61c093fac4021062e1838a32d79399c2
SHA1 84a47537ef58d2507cf7697ea7e1e27b1f812ee8
SHA256 58067ec06973f5dd7afebbe57bffce3a3ed9f8e5093af8fcefdb6a65b2b68b22
SHA512 475d9d4f27cbc23efd9acf75024f993bcf7a8279e658ccbd84c8ac810e1c828de4dac4141298865faf1bb8858a7a88a12d1a21c467e8c656533e364ceff7e5dc

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\nl.pak

MD5 bc41967b2ff493e7f151c7721245739d
SHA1 7606133ddbb58492dbbf02c03a975fb48da1e26f
SHA256 3dbe5569f53d1314dcb1bc99540cf6a0fea45b6d67576fd0d14c688107892f32
SHA512 9e395a3b5bbf64de3e474c56c4fb39879f107a9db246632cf6bb4b06160e05a82c0161d6496edb2bc29febb4a8f67ca7ea904167b860fd6da96636a6711cb593

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\nb.pak

MD5 7576c2fa9199a4121bc4a50ff6c439c3
SHA1 55e3e2e651353e7566ed4dbe082ffc834363752b
SHA256 2a3dfc6b41fa50fabed387cb8f05debbc530fa191366b30c9cb9eaae50686bd5
SHA512 86c44e43609e6eb61273f23d2242aa3d4a0bfa0ea653a86c8b663fa833283cc85a4356f4df653e85080f7437b81ae6201a3ecf898a63780b5ca67faa26d669fe

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ms.pak

MD5 9b3e2f3c49897228d51a324ab625eb45
SHA1 8f3daec46e9a99c3b33e3d0e56c03402ccc52b9d
SHA256 61a3daae72558662851b49175c402e9fe6fd1b279e7b9028e49506d9444855c5
SHA512 409681829a861cd4e53069d54c80315e0c8b97e5db4cd74985d06238be434a0f0c387392e3f80916164898af247d17e8747c6538f08c0ef1c5e92a7d1b14f539

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\mr.pak

MD5 25f2b9842e2c4c026e0fc4bc191a6915
SHA1 7de7f82badb2183f1f294b63ca506322f4f2aafa
SHA256 771eb119a20fcc5e742a932a9a8c360a65c90a5fe26ab7633419966ba3e7db60
SHA512 ac6d2eeb439351eee0cf1784b941f6dd2f4c8c496455479ca76919bf7767cca48a04ba25fccde74751baa7c90b907b347396235a3ce70f15c1b8e5388e5c6107

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\tr.pak

MD5 9f24f44cac0997e1d0a6a419520f3bfe
SHA1 edb61859cbb5d77c666aac98379d4155188f4ff5
SHA256 3aff7dcbfb1a244cc29b290376b52cfb3e1f844c98facafea17b4a45ce064b8a
SHA512 65fbe2d7fea37db59b805d031f6ae85d628a51b254e76e8c2b4ef4b5153527b7e2412ed6a0961d174b8a5581b521b0436160fe5ed252f78303bcfde815733d81

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ur.pak

MD5 d7ec7d551dee1e1ef11be3e2820052f9
SHA1 d7f2d35841883103c2773fc093a9a706b2fe5d36
SHA256 05e45371159075048db688564b6bc707e0891303c40f490c3db428b0edd36102
SHA512 92e2d32fc106812e08163a26f202a5d0e7eb7028a871f3bc6cbc05ee6c7ce287032179322b19e396308968515bf214534a38d93afc259a780ad7ba8432fab56a

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\app-update.yml

MD5 1f3fc4ed1c35754da78d76ac2355e681
SHA1 52a2ec4a1267e6b51fb9e376f38dd174799f57f3
SHA256 08c1434ebe835e19645d055993023f8b8048ef6025792bd2ce685ef33f34abe3
SHA512 155895169d921772c125922c82785b34e59ae0b35f909543bbcbb52b88f9b857d2997de335ea87cc4f582d8b928598de4addde423d21953d29d9e3e27932adbb

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\zh-TW.pak

MD5 8f67a9f38ad36d7d4a6b48e63852208d
SHA1 f087c85c51bdbdef5998cfc3790835da95da982a
SHA256 92f26e692dc1309558f90278425a7e83e56974b6af84dbd8cc90324785ee71ca
SHA512 623034bbdfdf5d331de78b630f403aeb9cef27b1827e0d29ec66ad69310f56c7db96c6775df0e749f8112a4a8e75754bcf987903d415fc7ae360e3c39e6e18e0

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\zh-CN.pak

MD5 9d4f54eb5a12cf4c2f34f5f538dff90b
SHA1 c31b892ce78c733bde0571b6236170103cc9fe7a
SHA256 58b934a09858f037f1966a495e73d44416180afcdebfaefcee1f5e3377de63f7
SHA512 46bf6099c50f7959a6f0800ec679b61a78efabe87985cad8dc0d7d0006470a9c61e659bde0258da6cf7ed6104749a157f5ad133f324479c3460a19fc14e31c37

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\vi.pak

MD5 9274866d7c6314f43dd63ed293293e25
SHA1 4af0e6ec1bcb99588810a9fb69c1dc2bbad892fc
SHA256 dcbdc6d9e11dd10fc1364c10be5438ce2697f61ec5f32997c43b87238087c4e3
SHA512 3c8c9e9960a49469af83cae31790a03e41846163c14d3dae45fd92a1a412c82075bdef3317baca02399eb53de0f9164c0a9a17b7cd63e0fa61c3e4617393c42e

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\uk.pak

MD5 e4c4e3700469704b936460ca1a90fcc0
SHA1 e809990fc07a1d39fe623046382699e648e343c0
SHA256 29af2abc75a35bb9e3f9bc6e2904228ba651ea4e0ce8e9c7a2d7e272374b9ebb
SHA512 68e33f471c5bf2d4ed9cb00ace3e094ef102a5f1566a6e2c8a3007ef7fbd8a24c36eb36b08745f3608e70940444e9fc7a36fabe1a9945d1f00b4f3f28c7bdaf6

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\th.pak

MD5 293ad7c20c22d744e4db0fb001ec45bb
SHA1 486c9e0732306a45aceb633da2b3ded281197620
SHA256 d67d68f24d3347e244a7e8c3b63d47f18fcf37258256f48dad785cf98bb560fa
SHA512 ac2b2dd82095925b3229958e89dcf5283bdce0273734a0c338f5a1aa8b014644806ca517f0fc2003669910e58fedf9c2ca7a009fa3f53d58c07bc5e9191f2e2f

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\te.pak

MD5 02415ded02cc7ac25e8f8d0e83365061
SHA1 5a25bf63ec97dbeb37e64ab3825cbbce6326a5cf
SHA256 97024f0cfac78e0c738e771beea1e35f5a8eb2b132b3043b59ce4ecd6c153523
SHA512 54e658c6d432b29b031be278e5b4396ac14b0f85e1f772a0a76c0431d4cbe2370ff2898077837688e2fb9700db1eab7a19e4e350a280a2ffad8176d861d93e45

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ta.pak

MD5 a8beab6896018a6d37f9b2e5bdd7a78c
SHA1 64310684247219a14ac3ac3b4c8ebaa602c5f03a
SHA256 c68b708ba61b3eeab5ae81d9d85d6e9f92e416ecfae92e8de9965608732384df
SHA512 73b0a31235bf4b7c5ad673f08717f3b4f03bcdf2a91440ee7228aa78c2d15dd2aed32498e23ded78ec35bc731dbe16b6a1c236a170f2a84123a464857686c7b5

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sw.pak

MD5 ee8da42ffe40fbb916c56390e2cd99e8
SHA1 6d824f56afe6b3605a881d2c26e69a46e6675347
SHA256 192e248c7ac4644f8712cf5032da1c6063d70662216ccf084205f902253aa827
SHA512 7befe72b073000bc35a31323d666fd51d105a188d59c4a85d76ee72b6c8c83a39a1beb935c1079def8e3ffa8c4bf6044cf4f3bef0f1c850c789b57e1144ff714

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sv.pak

MD5 bbe0785c5f9591e8a1e7c4830fe949d6
SHA1 da4f3286079d50e1c04e923529e03e7d334c7fff
SHA256 0ad84f6f95fd7505862278a7c1c92d00a7e7dd4a765569e9c3086f55c1d7059d
SHA512 38bab6f3a6c9395d3b57e63168045ad2e8188b2f04751a15253e7226ec3043c9678a77be1eb27a3b2e751934a024f3ffc89fffd9f1e229e19638be318b53e961

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sr.pak

MD5 cf160983a86b51ec42845f4e60ac9123
SHA1 4d3bd86a7ef1eaadb8bec0b79ecc6c05b4273a48
SHA256 ef07512fb337005bb66696c69722a0d65bfb749b9d2f763f5b2ff2885cb247a4
SHA512 b909fc3614c3250856d2c502cbfed5eb6e398140b801669bf92427e7e8a5939b14052b9abf2c94749f1aea61946ff66be4978c68064196458733bcff0a963ffa

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\app.asar

MD5 dcf84c7c6436284959898ff76df2601a
SHA1 d64896cf933ef8399c23f678e2b5529c1074e8f9
SHA256 9ab65922798b5f5c4056de45e44a5fdccc489a6321a3cabbfbd99d8ca9daa896
SHA512 1e1361c6ec01637d83e340ef4069f5043fec4aa750df1fcaed5c9ef88e2a90108ca345789ef3053ca7970ebed73d9ab9cd66d5fdcb409038d4618de2037d4f80

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\dist\pages\cantLoad.html

MD5 af0ebfabf769eacba4deb6fbc9f002ce
SHA1 8b18e6f7c70bf329bb5f9f4c2436c7d6f95faed4
SHA256 6bc293fd068ddac9c3d92116e09417ac768336c76b748fccdc9f167e6466c1d4
SHA512 85d744eb091ed3a9e5b14eb4d87c5233b9909c732c5902c50a2cd38a9645a65dae8723f3773758e02a1a8c591da98fc589377702863090acb527fb20ceded709

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\elevate.exe

MD5 86050c2cbb9f996c1d7b5116fc67b21e
SHA1 59ec79f38d3a3bbe5b63b464bc720b426d7c300a
SHA256 288bce90fd6ffb1dd260f71f73765b9931c45015c3a963514855ae78f1becb9a
SHA512 9d4a1eb417b809299b9eeafc90323032dbea5b0ae9ddc799af6e4e36ecef61d2518dc4756bb4ac398d396926eb72e6886cb64c568dfad80e51c5320a74943b8f

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\dist\pages\icon-text-logo.svg

MD5 9e058d4bc591160ec98e36aa65031b48
SHA1 36254fd3bdb61ac27344a69594d91009122808fe
SHA256 a6feedf1437cf6026a950771aee3798a310ad554ddf00508282bba9c50e48c79
SHA512 4e0d4edc0385d9b114f0553c3b182313507ca08e3c680bdb78c7ef05e019b2d4b56a84801792d0923bf16b993918ad72b0029199adc52daa951b209a6c62a125

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\extraResources\[email protected]

MD5 e9b992be1a5ea38cfdbc31508d80b3b9
SHA1 e8395346ff49413abda7950807938baaaeee042d
SHA256 ca3525faef577979cc300996b230ab12f58b539d1361e2831868d515068c2346
SHA512 930501bf1c6d71a2907217bd4c8bfe0231d890f1f665d51963b3011c805a305246d6e4e0ecf6cf6efad37edde6ffed3c7dd088594ac24aab1e13fabd21a35e1a

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\extraResources\IconTemplate.png

MD5 2c761c4c5b466c0d6c3fb51907f4a587
SHA1 72bb96c24004b9cf6abde1ae870ebb2315169855
SHA256 c0abd9c5ecfb3cfcd8ef51d6efd969cacfc2c13c59815d067573977664461eec
SHA512 9722b18a6342ea91e5094b41b31eb2bbed4c2fb773f6309b9ad238dd52260773ed3e0ebfa38469ac970b51bf2665f45086fd112f1eb0390513665094b91ea560

C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

\??\pipe\crashpad_620_AIIEYHPOWOGQHVUR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Bearly\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5384187930bcff78

MD5 b571feedd7a6cfefa26b73514d57a7c7
SHA1 33d4945a08a2040a4707b44d21483cd00858cb7d
SHA256 bf7d1e5bafc682ba7bf07389750e4165fa3076e69625630998b4a528f5e6d635
SHA512 8d2f594f4f568005005f2ba23bdd67ccdfd4bf56ada577993aaed596c839263f223dc2180897b906d8a8e94fd060eccda97a6cc2f464bd507182db45f4a017c7

C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-53841880464e3b2c

MD5 0c2bb92bc63d59da117b6542b8ca9edb
SHA1 1841f159e4e2074fd921877937016a21ff4f0f90
SHA256 dc011a83b38ed30c2eb64000cd76d92dd2fa807170fbe2dbab77bc5221471ab3
SHA512 8b4f251a74afe73a4c8fa003b5e0d65b33ac642567c73500783f1339e892fe76f3e524d5b56faf0bdff6a799c9581136fe33ac6fc1f135400440ce05abd57e9f

C:\Users\Admin\AppData\Roaming\Bearly\config.json

MD5 1ffb53e0bcfa1dfde7672728e3114815
SHA1 ec46721ab0c27d9e707f63c2ee748c954d775de2
SHA256 8e3ed5120a02820b427cb66f4f10c93aa4ca6415f332686b39174a6e04a70c76
SHA512 5aaabd51ac0b126c05d881e07fdaf1d82e86f5c6b5aea347ea53ea507fad953409e213ca0ae05bbf0921b478b595fbdbfada1eafd5ec39fbb9454434f0f5d424

memory/6676-1489-0x00007FFF833F0000-0x00007FFF833F1000-memory.dmp

memory/6676-1488-0x00007FFF84EA0000-0x00007FFF84EA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Bearly\217f7f6e-dafc-40d8-b8d6-325b7eb07a2e.tmp

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index~RFe580cfb.TMP

MD5 517adce143140d81cb6c453a49e6ec2e
SHA1 03ae1119b20a35bf9d75962fa0a7c2a71a6e020c
SHA256 c36bb852a8384f44a21727fe8a64586c2fc1654ae11382cfa6ffb6e0284466de
SHA512 2745735c73751d04890babb4e66ea6e106626007275296637e449aa01471d57f095b44f27079ec721c769b2ae183f413f517dd08e5082f85e3efb067a526f9d9

C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index

MD5 00f4881ba4d4e366db901083869d2b74
SHA1 9c78679b48be04a21882c02b96ddc168ebaccde6
SHA256 9e030c4a887e6a7f92b7ea82f5e79cd67304b7453208550d6a96cd1e6d907c4b
SHA512 e9d1b6732c5146dcc24cf037d47cdf7ad797d64f76768867a0099c2e4f7aca1fc20924e04df0607d16099a61f26a409acac5428144501c7d5586f28ca1412c4e

C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index

MD5 e0957dc485b5cb554cc414f2ed7557f3
SHA1 3b648f31dc45976020bb4f2866a6f721e9d69495
SHA256 159e3b777772820d932ab7ab26b90a3ed7cf23fea81558dfbb15eff5abd85cbb
SHA512 b513c4fa982374bb124513c97408bbf63780d09060f05bb9333deadd3e4979adbc4cbb6e13be2ec7590a26eabde5ea3c89865ebc8d8eb579a55e2cef9dd2e8bd

C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index

MD5 683ca3c3d6b6793f3f1a39952158d8db
SHA1 01f2e426b05dae0e98d956f369ce1d5e19779dee
SHA256 512f4927fb1ddfbf7bc0529177d769f532b329450603da1f3f1790a42e2e31b1
SHA512 f359d68cd7d122b969e22de9f9d995e9e625a9a5851d0d28c2d0a5345fceba66cef067c954957abc880885823d44b227ceef16c57517f7498329a9390b4617f7

C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State

MD5 1eaa3d3a0554a7d5465dc9fd690e1995
SHA1 1b87ee2d7d73943e0cdc2fa88013406fc112146f
SHA256 5ab0525ceb9e2d5ef87c5ee3d94d4061eb39c61318dca262344b7eabb2728d92
SHA512 e49d2d690eef90d01f92f889e3b3366b28d5b921c5e09ff68d7bc735f39895243fc99923a964932c58a8f040210d3c489859a7a9f771d937029845ee43a5a59b

C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State~RFe58cdab.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/5300-1562-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1561-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1560-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1566-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1567-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1572-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1571-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1570-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1569-0x000001DA25520000-0x000001DA25521000-memory.dmp

memory/5300-1568-0x000001DA25520000-0x000001DA25521000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1092 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3776 -ip 3776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240215-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240508-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe"

Signatures

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2624 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2624 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2624 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2624 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2624 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2624 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2624 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe

"C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Bearly.exe" | %SYSTEMROOT%\System32\find.exe "Bearly.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Bearly.exe"

C:\Windows\SysWOW64\find.exe

C:\Windows\System32\find.exe "Bearly.exe"

C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe

"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd282A.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsd282A.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nsd282A.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

\Users\Admin\AppData\Local\Temp\nsd282A.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

\Users\Admin\AppData\Local\Temp\nsd282A.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\chrome_100_percent.pak

MD5 acd0fa0a90b43cd1c87a55a991b4fac3
SHA1 17b84e8d24da12501105b87452f86bfa5f9b1b3c
SHA256 ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b
SHA512 3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\chrome_200_percent.pak

MD5 4610337e3332b7e65b73a6ea738b47df
SHA1 8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b
SHA256 c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c
SHA512 039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\ffmpeg.dll

MD5 d8cd1aca8dd3a91d0bf32da2e746545e
SHA1 6a28b357d93fbb3502bc386019899c9f3633b069
SHA256 5b831daa8515b3d1f346b481ec04f881a3fe728944e966624489d3a3872a40bf
SHA512 af70b88194539cdebf353df0927671babbd51f3cdb304cf31dc5c29d65dea1e38136d7389ba48aa0829855d62eeb740f3df12ab981153c7f2eb70ed1e74fbcbb

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\icudtl.dat

MD5 2134e5dbc46fb1c46eac0fe1af710ec3
SHA1 dbecf2d193ae575aba4217194d4136bd9291d4db
SHA256 ee3c8883effd90edfb0ff5b758c560cbca25d1598fcb55b80ef67e990dd19d41
SHA512 b9b50614d9baebf6378e5164d70be7fe7ef3051cfff38733fe3c7448c5de292754bbbb8da833e26115a185945be419be8dd1030fc230ed69f388479853bc0fcb

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\libEGL.dll

MD5 6426112edaa62ca308f7f32d26d4f6ad
SHA1 3edfd900da6a5fb1c67c41e18ea0ec9a2752ba2e
SHA256 a23882d8555d8c3f1d27ba39b0225d68bc446e250d19d36aff4ef65d221458a3
SHA512 f967dea3f18ab81c8ca72b722962944b9a874cfda4c95237e96b1e989ff3657a087957c1ff2c374616ed2e49a75f2786174ff8972a3447589468dfafaf4db582

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\libGLESv2.dll

MD5 b7214621f818dfe440ade5b2f3619519
SHA1 4b95d412e49f2e4c3ce71e10b2d76df3ab63547c
SHA256 59133f095f941eb8d6b3613fd08b98e6d84e8290f3f72ded6d98c8683582f188
SHA512 d8195862a8d6ca8de5aa4096ce1feabda3f8375279904124e80451ef22d1ae13e4de35487afe36996d0b51edc16c48ddda03c5c2b14f4bd5e465ed48e9e3d29b

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\LICENSES.chromium.html

MD5 312446edf757f7e92aad311f625cef2a
SHA1 91102d30d5abcfa7b6ec732e3682fb9c77279ba3
SHA256 c2656201ac86438d062673771e33e44d6d5e97670c3160e0de1cb0bd5fbbae9b
SHA512 dce01f2448a49a0e6f08bbde6570f76a87dcc81179bb51d5e2642ad033ee81ae3996800363826a65485ab79085572bbace51409ae7102ed1a12df65018676333

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources.pak

MD5 a8502a5d32543474520dd8cf1a871b60
SHA1 4b2b4e61a8105dd9583c12e9adfd307c113907c8
SHA256 b6420c40d7d9b4971f6c99a3fd108e10c7e4e6bb95fa655a5a1b00ff2bab36dd
SHA512 c73e578d9b8a990ad11c218c096fc8d8a5d283a3fee4388ef40b4140e14504498f3e376b4b86d0d789dd9cd1dc8957d749a86f59cdf199f85daa28490c129658

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\snapshot_blob.bin

MD5 840169fda65be2a18c85e7dd44ec6051
SHA1 5080736e613be6e11242d37adef740cac0bf8cd1
SHA256 80e58621229b4cb6104ce7f65ebce979a6ebe3eac750447d037660cec34ad0b3
SHA512 2e65ac47ff05830eb0942288daf66468fbd34a1fbc1010f0bcdaca873f4d110ae8f88e825dec7e86dcd7b11dee7a003c29350e3377abd9f886b028cdbb830644

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\v8_context_snapshot.bin

MD5 5a072b0edc88a0b18e1c56a307a341cd
SHA1 20ee0b6521e12dfc4f378eb8d5724456e22e90fd
SHA256 878046ea578d24595d060583cf8f9618aba37d23c603499068e5762dd5509aa1
SHA512 c3a51850d939eea9b5d8926795cdc3e56962ec9eeabb3b80ed62a9c77ae5d6b696528d03a469c212b99d83ec303367f3353cc0fff459e7e577254f037f8fd995

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\vk_swiftshader.dll

MD5 3eb74d173ef00f7c510b11e61c5ab52f
SHA1 13cfe224f966145d7f90640b080bef5dd4d0ff42
SHA256 0749491928a69673f17d39eb674f9a416e789e4fddec48ebb54714914343b48a
SHA512 423ab3765aa01cf39fa31d068ddb761ad93707cb06f57b4e674311c91c5cc9d238c231d1e6882f8d3525d16fea0d8f8db8d0a74bb55309f5a120cbe4a34e40bd

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\vulkan-1.dll

MD5 8439213fbb22a848ce814982d502bdc4
SHA1 6c5831de36a539c0689410b00f1b8aa1dc6f7c2d
SHA256 e69f794109b12523de314a471c56278cd921be58facbd18ec351685d15894cc0
SHA512 e4e570e5b98420d99634167e0d9f920cba27fc4b8e91c70cc4e5b33a4b3299a69ce9b294aae538aeb150135378978a6c7b0644a645b797ab230e185593c828c0

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\af.pak

MD5 7e51349edc7e6aed122bfa00970fab80
SHA1 eb6df68501ecce2090e1af5837b5f15ac3a775eb
SHA256 f528e698b164283872f76df2233a47d7d41e1aba980ce39f6b078e577fd14c97
SHA512 69da19053eb95eef7ab2a2d3f52ca765777bdf976e5862e8cebbaa1d1ce84a7743f50695a3e82a296b2f610475abb256844b6b9eb7a23a60b4a9fc4eae40346d

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\am.pak

MD5 c6ef9c40b48a069b70ed3335b52a9a9c
SHA1 d4a5fb05c4b493ecbb6fc80689b955c30c5cbbb4
SHA256 73a1034be12abda7401eb601819657cd7addf011bfd9ce39f115a442bccba995
SHA512 33c18b698040cd77162eb05658eca82a08994455865b70d1c08819dfac68f6db6b27d7e818260caa25310ff71cf128239a52c948fde098e75d1a319f478a9854

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ar.pak

MD5 56f6dc44cc50fc98314d0f88fcc2a962
SHA1 b1740b05c66622b900e19e9f71e0ff1f3488a98e
SHA256 7018884d3c60a9c9d727b21545c7dbbcc7b57fa93a16fa97deca0d35891e3465
SHA512 594e38739af7351a6117b0659b15f4358bd363d42ffc19e9f5035b57e05e879170bbafe51aece62c13f2ae17c84efb2aed2fc19d2eb9dcb95ebd34211d61674e

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\bg.pak

MD5 945de8a62865092b8100e93ea3e9828d
SHA1 18d4c83510455ce12a6ac85f9f33af46b0557e2e
SHA256 f0e39893a39ce6133c1b993f1792207830b8670a6eb3185b7e5826d50fea7ba2
SHA512 5f61160ff64b9490a1ad5517d8c1bb81af77d349541fed5045e7f6e5053b7d79b7e8f114630bfbe4d5af30258f70a6569462bfa39ccb765f8ca191f82ee04f3f

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\bn.pak

MD5 8feb4092426a0c2c167c0674114b014d
SHA1 6fc9a1076723bfaf5301d8816543a05a82ad654d
SHA256 fb0656a687555801edfb9442b9f3e7f2b009be1126f901cf4da82d67ac4ad954
SHA512 3de40bdd18e9e7d3f2eceebf7c089e2250ce4d40412a18d718facba8f045e68b996978ef8b4d047b21d3424094056d16b5abb81bd0507f446b805d6b889522a7

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ca.pak

MD5 01acd6f7a4ea85d8e63099ce1262fbad
SHA1 f654870d442938385b99444c2cacd4d6b60d2a0d
SHA256 b48d1bad676f2e718cbe548302127e0b3567913a2835522d6dd90279a6d2a56a
SHA512 2bd13eca1a85c219e24a9deb5b767faa5dc7e6b3005d4eb772e3794233ed49cb94c4492538d18acc98658c01d941e35c6f213c18ac5480da151c7545eedeb4ab

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\cs.pak

MD5 a934431d469d19a274243f88bb5ac6fb
SHA1 146845edc7442bf8641bc8b6c1a7e2c021fb01eb
SHA256 51c36a5acdad5930d8d4f1285315e66b2578f27534d37cd40f0625ee99852c51
SHA512 562f07151e5392cbffb6b643c097a08045e9550e56712975d453a2ebaee0745fbfba99d69867eec560d1d58b58dff4f6035811b9d4f0b1b87547efa98f94d55d

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\da.pak

MD5 bb5252dc6f0f3c01ce3638138bf946c8
SHA1 bfb584b67c8ca51d94bff40809410553d54da1cf
SHA256 c93f39d0ab9a2fab26977aa729261633225879ba6dc5ea8d0ca89814b2df9fa9
SHA512 e411fd3cc5285a6059c3fd80c3421253a4ce06b2d0cd1cd1efc25e88191a58fed176452d852922137268be2824e1e162cd4d4a6f8c695a50517a783d15b1c6e7

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\de.pak

MD5 ed329b35d10e81f55d611fe8748876f8
SHA1 0d998732bb4c4d1faad5a5bc0a21d6c5672418d3
SHA256 6facd562add58c4684ef4a40de9b63581fea71c5b83049ed8a2c2a2c929c45ce
SHA512 bd713ff78e375fec3a04ab0c9476c0379f87efc6d18359c2a4d297303d78381081120c371848c8675f1f16dd4ab7284d81e5bfc9ae11ab33e12f96c12d89e764

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\el.pak

MD5 6922aaa87431699787c1489e89af17b9
SHA1 6fb7771c9271ca2eeebe025a171bfa62db3527f7
SHA256 800545f9134914649da91b90e7df65d8208014c3e12f2be551dfd6722bf84719
SHA512 367ef8467631e17e0a71d682f5792a499e8578b6c22af93d9a919d9e78709ec2501df9599624f013b43f4c3e9fb825182193116dbead01874995d322b7a6e4d6

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\en-GB.pak

MD5 0db7f3a3ba228aa7f2457db1aa58d002
SHA1 bbf3469caadfa3d2469dd7e0809352ef21a7476d
SHA256 cf5aca381c888de8aa6bbd1dcd609e389833cb5af3f4e8af5281ffd70cd65d98
SHA512 9c46c8d12579bd8c0be230bbcdb31bdb537d2fea38000cf700547ca59e3139c18cc7cb3e74053475605132404c4c4591f651d2dad2ce7f413ccffd6acf7139e8

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\en-US.pak

MD5 5e3813e616a101e4a169b05f40879a62
SHA1 615e4d94f69625dda81dfaec7f14e9ee320a2884
SHA256 4d207c5c202c19c4daca3fddb2ae4f747f943a8faf86a947eef580e2f2aee687
SHA512 764a271a9cfb674cce41ee7aed0ad75f640ce869efd3c865d1b2d046c9638f4e8d9863a386eba098f5dcedd20ea98bad8bca158b68eb4bdd606d683f31227594

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\es-419.pak

MD5 5321c1e88c5c6fa20bdbc16043c6d0f6
SHA1 07b35ed8f22edc77e543f28d36c5e4789e7723f4
SHA256 f7caa691599c852afb6c2d7b8921e6165418cc4b20d4211a92f69c877da54592
SHA512 121b3547a8af9e7360774c1bd6850755b849e3f2e2e10287c612cf88fb096eb4cf4ee56b428ba67aeb185f0cb08d34d4fa987c4b0797436eea53f64358d2b989

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\es.pak

MD5 e9fa4cada447b507878a568f82266353
SHA1 4a38f9d11e12376e4d13e1ee8c4e0d082d545701
SHA256 186c596d8555f8db77b3495b7ad6b7af616185ca6c74e5dfb6c39f368e3a12a4
SHA512 1e8f97ff3daad3d70c992f332d007f3ddb16206e2ff4cffd3f2c5099da92a7ad6fb122b48796f5758fe334d9fbf0bbae5c552414debbb60fe5854aaa922e206e

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\et.pak

MD5 a94e1775f91ea8622f82ae5ab5ba6765
SHA1 ff17accdd83ac7fcc630e9141e9114da7de16fdb
SHA256 1606b94aef97047863481928624214b7e0ec2f1e34ec48a117965b928e009163
SHA512 a2575d2bd50494310e8ef9c77d6c1749420dfbe17a91d724984df025c47601976af7d971ecae988c99723d53f240e1a6b3b7650a17f3b845e3daeefaaf9fe9b9

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\fa.pak

MD5 dcd3b982a52cdf8510a54830f270e391
SHA1 3e0802460950512b98cd124ff9f1f53827e3437e
SHA256 e70dfa2d5f61afe202778a3faf5ed92b8d162c62525db79d4ec82003d8773fa3
SHA512 3d5b7fa1a685fa623ec7183c393e50007912872e22ca37fdc094badaefddeac018cc043640814a4df21bb429741dd295aa8719686461afa362e130b8e1441a12

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\fi.pak

MD5 5518b51d4af7f1b9d686cbea28b69e71
SHA1 df7f70846f059826c792a831e32247b2294c8e52
SHA256 8ff1b08727c884d6b7b6c8b0a0b176706109ae7fe06323895e35325742fe5bd1
SHA512 b573050585c5e89a65fc45000f48a0f6aabccd2937f33a0b3fcbd8a8c817beaa2158f62a83c2cae6fcfb655f4a4f9a0c2f6505b41a90bc9d8ede74141ebc3266

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\fil.pak

MD5 3165351c55e3408eaa7b661fa9dc8924
SHA1 181bee2a96d2f43d740b865f7e39a1ba06e2ca2b
SHA256 2630a9d5912c8ef023154c6a6fb5c56faf610e1e960af66abef533af19b90caa
SHA512 3b1944ea3cfcbe98d4ce390ea3a8ff1f6730eb8054e282869308efe91a9ddcd118290568c1fc83bd80e8951c4e70a451e984c27b400f2bde8053ea25b9620655

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\fr.pak

MD5 0445700799de14382201f2b8b840c639
SHA1 b2d2a03a981e6ff5b45bb29a594739b836f5518d
SHA256 9a57603f33cc1be68973bdd2022b00d9d547727d2d4dc15e91cc05ebc7730965
SHA512 423f941ec35126a2015c5bb3bf963c8b4c71be5edfb6fc9765764409a562e028c91c952da9be8f250b25c82e8facec5cada6a4ae1495479d6b6342a0af9dda5f

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\gu.pak

MD5 7b5f52f72d3a93f76337d5cf3168ebd1
SHA1 00d444b5a7f73f566e98abadf867e6bb27433091
SHA256 798ea5d88a57d1d78fa518bf35c5098cbeb1453d2cb02ef98cd26cf85d927707
SHA512 10c6f4faab8ccb930228c1d9302472d0752be19af068ec5917249675b40f22ab24c3e29ec3264062826113b966c401046cff70d91e7e05d8aadcc0b4e07fec9b

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\he.pak

MD5 93d9261f91bcd80d7f33f87bad35dda4
SHA1 a498434fd2339c5d6465a28d8babb80607db1b65
SHA256 31661709ab05e2c392a7faeed5e863b718f6a5713d0d4bbdab28bc5fb6565458
SHA512 f213ff20e45f260174caa21eae5a58e73777cd94e4d929326deefbef01759d0200b2a14f427be1bb270dfcd2c6fb2fce789e60f668ac89ecf1849d7575302725

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\hi.pak

MD5 b7e4892b2030e4f916364856b6cc470a
SHA1 b08ad51e98e3b6949f61f0b9251f7281818cd23e
SHA256 093119a99f008ab15d0e5b34cd16ec6b4313554e6c3cffe44502bfce51470e3e
SHA512 ca453025d73228592a4bfe747a3ea08b86327f733032a64ced0fc0c9e2e00b02450f133e691b94be13a3e69e22b43bca512e5f77b0e490320f0bf8e65571bb46

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\hr.pak

MD5 105472bc766a30bb71f13d86081de68d
SHA1 d014103ad930889239efd92ecfdfcc669312af6c
SHA256 a3a853a049735c7d474191dff19550a15503ecd20bafe44938eb12ea60e50b7c
SHA512 ee7479d459eff8ec59206c2269df4e9fc1ca143e9b94a908eb8a5a1e16180bcc88f0b24d73c387f5853ea0418e737641f23146676232c1a3ac794611f7880f11

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\hu.pak

MD5 b338dcb0e672fb7b2910ce2f561a8e38
SHA1 cf18c82ec89f52753f7258cdb01203fbc49bed99
SHA256 bcdf39aa7004984cb6c13aac655b2e43efeb387ce7d61964b063d6cf37773f7a
SHA512 f95f6a8e36d99680fb3cdb439f09439782bcc325923ec54bdc4aeb8ec85cf31a3a2216e40e2b06c73a2f5e7439d8178d8becac72781a6d79808067e8ccf3cac6

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\id.pak

MD5 bd9636e9c7dc7be4c7f53fb0b886be04
SHA1 55421d0e8efcbef8c3b72e00a623fb65d33c953e
SHA256 5761ee7da9ca163e86e2023829d377a48af6f59c27f07e820731192051343f40
SHA512 7c7e88ffd2b748e93122585b95850ded580e1136db39386ced9f4db0090e71394a1f9ceb937262c95969132c26bf6ce1684fbb97b6469ed10414171a2e8cc3a4

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\it.pak

MD5 7c981a25be0e02fba150e17d9669a536
SHA1 3af10feb7cdc7bc091b80173301b1a3d4ef941d4
SHA256 ee2d2643ad7a8f97b7a6c070910866436cae0267a6691a3d8a88ed0948d8af49
SHA512 445eecfa83e7635bc3442937bdf3b9c4a38ef3fbb7f07ca90a1d4222e1a29639f3fdce12b20e798888823f2d612e5972492b3786d37b256aec5c1c96cdb96b28

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ja.pak

MD5 f47efaa76f5200a6c0c23c33684d7bad
SHA1 9b24f6491a1171d3dfeae329e1f45ab3e3d9cf22
SHA256 5b99d6a11d7b653681b2a2bb616cc1814451ad35c370d178b2ef6650465d4f2a
SHA512 67d130a66f03a4d1a0a30576b19fe44fa707cba764c6dcd355cbe891a2bcc0b25823ba2106e9271e06ada674f66824a5323b77d4984900516d2a8802af87960e

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\kn.pak

MD5 a603f3d899ccdcd9af20dcd8f87d0ed8
SHA1 f476355d6ea5c05b35ad74c08e2edfe5ff2881ad
SHA256 3c11a589aab0c5d9e5c18e6a95dce7e613089d3598b8fe54e656a8d97e22a6fd
SHA512 f6b008080cae44d680faaab02911f62e21d042c55fc5af87e719e9bc4102b282e58e67f19f37f60fe8ba99f5b8cfd4e70a61af9918a9ee8e3d8ae72555d31c15

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ko.pak

MD5 b83bc27c5bc2bb4d0ff7934db87e12ad
SHA1 050f004e82f46053b6566300c9a7b1a6a6e84209
SHA256 ab3060e7d16de4d1536ff6dd4f82939a73388201ad7e2be15f3afee6a5aae0ef
SHA512 b56b211587fe93a254198ca617cdecd8dc01e4561151a53173721665111c4d2440535f5f6b8a5a69a31840ea60124f4afd2c693d1fc4683fa2cf237c8ede5f0a

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\lt.pak

MD5 96602a3f3b59faa997a4d337889fa02b
SHA1 94593a270b0d84c006e0959bc136b6c4987dfd3f
SHA256 51db5311de9dff41fb4eadda8ba7d5e492912f72c3754adaf8e3de23aba46f8a
SHA512 dd45240494d09ad9a41be9d4056ed274e78a50dc85e6bff9438e707a84f65b77ebe522531370da99e50a6887d6063c29e9728b49df2b2b3c61362d774797fac2

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\lv.pak

MD5 e4f7d9e385cb525e762ece1aa243e818
SHA1 689d784379bac189742b74cd8700c687feeeded1
SHA256 523d141e59095da71a41c14aec8fe9ee667ae4b868e0477a46dd18a80b2007ef
SHA512 e4796134048cd12056d746f6b8f76d9ea743c61fee5993167f607959f11fd3b496429c3e61ed5464551fd1931de4878ab06f23a3788ee34bb56f53db25bcb6df

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\mr.pak

MD5 25f2b9842e2c4c026e0fc4bc191a6915
SHA1 7de7f82badb2183f1f294b63ca506322f4f2aafa
SHA256 771eb119a20fcc5e742a932a9a8c360a65c90a5fe26ab7633419966ba3e7db60
SHA512 ac6d2eeb439351eee0cf1784b941f6dd2f4c8c496455479ca76919bf7767cca48a04ba25fccde74751baa7c90b907b347396235a3ce70f15c1b8e5388e5c6107

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ml.pak

MD5 3b1305ecca60fb5a7b3224a70398ead9
SHA1 04e28fce93fc57360e9830e2f482028ffc58a0a2
SHA256 c10942f5333f0d710de4d3def7aa410c4576ffe476b3ea84aac736bfb9c40d67
SHA512 68fdd944a153c16d18e73dd2aa75593f6ac13b8e87dbfb5bfccdd982a4f885bd9903c3ed1af781581cd3c5d42dd2ff21cc780f54fd71ab04a3237d08ed5a1554

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ms.pak

MD5 9b3e2f3c49897228d51a324ab625eb45
SHA1 8f3daec46e9a99c3b33e3d0e56c03402ccc52b9d
SHA256 61a3daae72558662851b49175c402e9fe6fd1b279e7b9028e49506d9444855c5
SHA512 409681829a861cd4e53069d54c80315e0c8b97e5db4cd74985d06238be434a0f0c387392e3f80916164898af247d17e8747c6538f08c0ef1c5e92a7d1b14f539

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\nb.pak

MD5 7576c2fa9199a4121bc4a50ff6c439c3
SHA1 55e3e2e651353e7566ed4dbe082ffc834363752b
SHA256 2a3dfc6b41fa50fabed387cb8f05debbc530fa191366b30c9cb9eaae50686bd5
SHA512 86c44e43609e6eb61273f23d2242aa3d4a0bfa0ea653a86c8b663fa833283cc85a4356f4df653e85080f7437b81ae6201a3ecf898a63780b5ca67faa26d669fe

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\nl.pak

MD5 bc41967b2ff493e7f151c7721245739d
SHA1 7606133ddbb58492dbbf02c03a975fb48da1e26f
SHA256 3dbe5569f53d1314dcb1bc99540cf6a0fea45b6d67576fd0d14c688107892f32
SHA512 9e395a3b5bbf64de3e474c56c4fb39879f107a9db246632cf6bb4b06160e05a82c0161d6496edb2bc29febb4a8f67ca7ea904167b860fd6da96636a6711cb593

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\pl.pak

MD5 61c093fac4021062e1838a32d79399c2
SHA1 84a47537ef58d2507cf7697ea7e1e27b1f812ee8
SHA256 58067ec06973f5dd7afebbe57bffce3a3ed9f8e5093af8fcefdb6a65b2b68b22
SHA512 475d9d4f27cbc23efd9acf75024f993bcf7a8279e658ccbd84c8ac810e1c828de4dac4141298865faf1bb8858a7a88a12d1a21c467e8c656533e364ceff7e5dc

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\pt-BR.pak

MD5 a23c805ee4d3d67c811b50826ca25a51
SHA1 c14fa8b9c7073fe88e188cfa4b34883faccc2c09
SHA256 62be4fb0bd3b8be563516bfea3f0848924bb7afb0c563d02c1508608a4487e3b
SHA512 c478bd2234eef73aa08085d29b916ad1471576ff213f972c9616757172d0cdec6e5d6797a1f2635ac17a0bac34964a298e4ab4336479456ce10330128cd68a53

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\pt-PT.pak

MD5 acffa29064f40a014bc7fe13e5ff58a9
SHA1 5a0890c94084075446264469818753f699a3d154
SHA256 423e7ccb22d32276320ed72f07186188e095c577db5bce7309c8bd589a2a8858
SHA512 d4572c81fdd3b7b69d77544f68b23ae0b546158033be503dbaab736d3ca1188b18916688234fae9ea29fa430258b2d2b95a93d0e8b74919a62040b84902d3b6e

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ro.pak

MD5 19cfc7c8f1a2e4a2de1f9f64475469bc
SHA1 bf6c4f373c19b03e116d2593c64e1ceca47d79dc
SHA256 3e725f7a791aed1fbed57f075ca11ce389a5bd425ccce3c00537dad27e5a8dd6
SHA512 ff5254e3a3676b8f5e74cba6661ae43d5739c7363c66cb17f74dce158dc36cee103885f055846dd320b932f2e7fbdc831bcee6293d423ff9b842b68644f633bd

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ru.pak

MD5 fc0e2fc09aa9089c5db75bab7a0754a7
SHA1 f3d1e3e1600ae188e801a81b6d233db9903b82df
SHA256 188b6405cb6c5b7c0b35050278a119c3ce41fb90883b9adb39fec15da0a05550
SHA512 377e685d1d171d0a7158b56f356ca33d4493d07efa58d3c384e272e1b6829933552c69aff95215ae7d1a0f99616a20790708f5187ea10cfe46baa2bb522fc18f

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sk.pak

MD5 793c442420f27d54410cdb8d8ecce5ff
SHA1 8995e9e29dbaaa737777e9c9449b67ca4c5b4066
SHA256 5a9d6b77ca43c8ed344416d854c2d945d8613e6c7936445d6fe35e410c7190bb
SHA512 291e3d2300c973966d85e15a1b270ba05c83696271a7c7d4063b91097a942590c9797a4d22dfbe154564b779dac92fd12db0d5b63f5f0406f818b956b126e7e9

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sl.pak

MD5 4d9d56ef0b176e7f7aa14270e964ec77
SHA1 515aac37e4f25ca50bd52ea73889b70b1e79863d
SHA256 6ba684a8f06f7eb175955b15d30c7162d92c7e7c48864dfb853238263e1be8c7
SHA512 740adbb7d8b039f98e187f45a1a87d0354136fb48b75262e508f720bfcbeb2746f04d31a57dccd50e37ddb5a1b7c0ad79a01cac6ba5fb98a9af272ad99fcb169

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sv.pak

MD5 bbe0785c5f9591e8a1e7c4830fe949d6
SHA1 da4f3286079d50e1c04e923529e03e7d334c7fff
SHA256 0ad84f6f95fd7505862278a7c1c92d00a7e7dd4a765569e9c3086f55c1d7059d
SHA512 38bab6f3a6c9395d3b57e63168045ad2e8188b2f04751a15253e7226ec3043c9678a77be1eb27a3b2e751934a024f3ffc89fffd9f1e229e19638be318b53e961

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sw.pak

MD5 ee8da42ffe40fbb916c56390e2cd99e8
SHA1 6d824f56afe6b3605a881d2c26e69a46e6675347
SHA256 192e248c7ac4644f8712cf5032da1c6063d70662216ccf084205f902253aa827
SHA512 7befe72b073000bc35a31323d666fd51d105a188d59c4a85d76ee72b6c8c83a39a1beb935c1079def8e3ffa8c4bf6044cf4f3bef0f1c850c789b57e1144ff714

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ta.pak

MD5 a8beab6896018a6d37f9b2e5bdd7a78c
SHA1 64310684247219a14ac3ac3b4c8ebaa602c5f03a
SHA256 c68b708ba61b3eeab5ae81d9d85d6e9f92e416ecfae92e8de9965608732384df
SHA512 73b0a31235bf4b7c5ad673f08717f3b4f03bcdf2a91440ee7228aa78c2d15dd2aed32498e23ded78ec35bc731dbe16b6a1c236a170f2a84123a464857686c7b5

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\te.pak

MD5 02415ded02cc7ac25e8f8d0e83365061
SHA1 5a25bf63ec97dbeb37e64ab3825cbbce6326a5cf
SHA256 97024f0cfac78e0c738e771beea1e35f5a8eb2b132b3043b59ce4ecd6c153523
SHA512 54e658c6d432b29b031be278e5b4396ac14b0f85e1f772a0a76c0431d4cbe2370ff2898077837688e2fb9700db1eab7a19e4e350a280a2ffad8176d861d93e45

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\th.pak

MD5 293ad7c20c22d744e4db0fb001ec45bb
SHA1 486c9e0732306a45aceb633da2b3ded281197620
SHA256 d67d68f24d3347e244a7e8c3b63d47f18fcf37258256f48dad785cf98bb560fa
SHA512 ac2b2dd82095925b3229958e89dcf5283bdce0273734a0c338f5a1aa8b014644806ca517f0fc2003669910e58fedf9c2ca7a009fa3f53d58c07bc5e9191f2e2f

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ur.pak

MD5 d7ec7d551dee1e1ef11be3e2820052f9
SHA1 d7f2d35841883103c2773fc093a9a706b2fe5d36
SHA256 05e45371159075048db688564b6bc707e0891303c40f490c3db428b0edd36102
SHA512 92e2d32fc106812e08163a26f202a5d0e7eb7028a871f3bc6cbc05ee6c7ce287032179322b19e396308968515bf214534a38d93afc259a780ad7ba8432fab56a

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\zh-TW.pak

MD5 8f67a9f38ad36d7d4a6b48e63852208d
SHA1 f087c85c51bdbdef5998cfc3790835da95da982a
SHA256 92f26e692dc1309558f90278425a7e83e56974b6af84dbd8cc90324785ee71ca
SHA512 623034bbdfdf5d331de78b630f403aeb9cef27b1827e0d29ec66ad69310f56c7db96c6775df0e749f8112a4a8e75754bcf987903d415fc7ae360e3c39e6e18e0

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\app-update.yml

MD5 1f3fc4ed1c35754da78d76ac2355e681
SHA1 52a2ec4a1267e6b51fb9e376f38dd174799f57f3
SHA256 08c1434ebe835e19645d055993023f8b8048ef6025792bd2ce685ef33f34abe3
SHA512 155895169d921772c125922c82785b34e59ae0b35f909543bbcbb52b88f9b857d2997de335ea87cc4f582d8b928598de4addde423d21953d29d9e3e27932adbb

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\app.asar

MD5 dcf84c7c6436284959898ff76df2601a
SHA1 d64896cf933ef8399c23f678e2b5529c1074e8f9
SHA256 9ab65922798b5f5c4056de45e44a5fdccc489a6321a3cabbfbd99d8ca9daa896
SHA512 1e1361c6ec01637d83e340ef4069f5043fec4aa750df1fcaed5c9ef88e2a90108ca345789ef3053ca7970ebed73d9ab9cd66d5fdcb409038d4618de2037d4f80

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\dist\pages\cantLoad.html

MD5 af0ebfabf769eacba4deb6fbc9f002ce
SHA1 8b18e6f7c70bf329bb5f9f4c2436c7d6f95faed4
SHA256 6bc293fd068ddac9c3d92116e09417ac768336c76b748fccdc9f167e6466c1d4
SHA512 85d744eb091ed3a9e5b14eb4d87c5233b9909c732c5902c50a2cd38a9645a65dae8723f3773758e02a1a8c591da98fc589377702863090acb527fb20ceded709

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\extraResources\[email protected]

MD5 e9b992be1a5ea38cfdbc31508d80b3b9
SHA1 e8395346ff49413abda7950807938baaaeee042d
SHA256 ca3525faef577979cc300996b230ab12f58b539d1361e2831868d515068c2346
SHA512 930501bf1c6d71a2907217bd4c8bfe0231d890f1f665d51963b3011c805a305246d6e4e0ecf6cf6efad37edde6ffed3c7dd088594ac24aab1e13fabd21a35e1a

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\extraResources\IconTemplate.png

MD5 2c761c4c5b466c0d6c3fb51907f4a587
SHA1 72bb96c24004b9cf6abde1ae870ebb2315169855
SHA256 c0abd9c5ecfb3cfcd8ef51d6efd969cacfc2c13c59815d067573977664461eec
SHA512 9722b18a6342ea91e5094b41b31eb2bbed4c2fb773f6309b9ad238dd52260773ed3e0ebfa38469ac970b51bf2665f45086fd112f1eb0390513665094b91ea560

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\dist\pages\icon-text-logo.svg

MD5 9e058d4bc591160ec98e36aa65031b48
SHA1 36254fd3bdb61ac27344a69594d91009122808fe
SHA256 a6feedf1437cf6026a950771aee3798a310ad554ddf00508282bba9c50e48c79
SHA512 4e0d4edc0385d9b114f0553c3b182313507ca08e3c680bdb78c7ef05e019b2d4b56a84801792d0923bf16b993918ad72b0029199adc52daa951b209a6c62a125

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\elevate.exe

MD5 86050c2cbb9f996c1d7b5116fc67b21e
SHA1 59ec79f38d3a3bbe5b63b464bc720b426d7c300a
SHA256 288bce90fd6ffb1dd260f71f73765b9931c45015c3a963514855ae78f1becb9a
SHA512 9d4a1eb417b809299b9eeafc90323032dbea5b0ae9ddc799af6e4e36ecef61d2518dc4756bb4ac398d396926eb72e6886cb64c568dfad80e51c5320a74943b8f

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\zh-CN.pak

MD5 9d4f54eb5a12cf4c2f34f5f538dff90b
SHA1 c31b892ce78c733bde0571b6236170103cc9fe7a
SHA256 58b934a09858f037f1966a495e73d44416180afcdebfaefcee1f5e3377de63f7
SHA512 46bf6099c50f7959a6f0800ec679b61a78efabe87985cad8dc0d7d0006470a9c61e659bde0258da6cf7ed6104749a157f5ad133f324479c3460a19fc14e31c37

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\vi.pak

MD5 9274866d7c6314f43dd63ed293293e25
SHA1 4af0e6ec1bcb99588810a9fb69c1dc2bbad892fc
SHA256 dcbdc6d9e11dd10fc1364c10be5438ce2697f61ec5f32997c43b87238087c4e3
SHA512 3c8c9e9960a49469af83cae31790a03e41846163c14d3dae45fd92a1a412c82075bdef3317baca02399eb53de0f9164c0a9a17b7cd63e0fa61c3e4617393c42e

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\uk.pak

MD5 e4c4e3700469704b936460ca1a90fcc0
SHA1 e809990fc07a1d39fe623046382699e648e343c0
SHA256 29af2abc75a35bb9e3f9bc6e2904228ba651ea4e0ce8e9c7a2d7e272374b9ebb
SHA512 68e33f471c5bf2d4ed9cb00ace3e094ef102a5f1566a6e2c8a3007ef7fbd8a24c36eb36b08745f3608e70940444e9fc7a36fabe1a9945d1f00b4f3f28c7bdaf6

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\tr.pak

MD5 9f24f44cac0997e1d0a6a419520f3bfe
SHA1 edb61859cbb5d77c666aac98379d4155188f4ff5
SHA256 3aff7dcbfb1a244cc29b290376b52cfb3e1f844c98facafea17b4a45ce064b8a
SHA512 65fbe2d7fea37db59b805d031f6ae85d628a51b254e76e8c2b4ef4b5153527b7e2412ed6a0961d174b8a5581b521b0436160fe5ed252f78303bcfde815733d81

C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sr.pak

MD5 cf160983a86b51ec42845f4e60ac9123
SHA1 4d3bd86a7ef1eaadb8bec0b79ecc6c05b4273a48
SHA256 ef07512fb337005bb66696c69722a0d65bfb749b9d2f763f5b2ff2885cb247a4
SHA512 b909fc3614c3250856d2c502cbfed5eb6e398140b801669bf92427e7e8a5939b14052b9abf2c94749f1aea61946ff66be4978c68064196458733bcff0a963ffa

\Users\Admin\AppData\Local\Temp\nsd282A.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

memory/2968-602-0x0000000002BD0000-0x0000000002BD2000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240220-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 220

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win7-20240221-en

Max time kernel

123s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3032 wrote to memory of 3036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3032 wrote to memory of 3036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3032 -s 92

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win7-20240508-en

Max time kernel

122s

Max time network

129s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1

Network

N/A

Files

memory/2548-4-0x000007FEF56BE000-0x000007FEF56BF000-memory.dmp

memory/2548-5-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/2548-6-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2548-7-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

memory/2548-8-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

memory/2548-9-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

memory/2548-10-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\resources\dist\pages\cantLoad.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 3688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 808 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\resources\dist\pages\cantLoad.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f50846f8,0x7ff9f5084708,0x7ff9f5084718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bearly.ai udp
US 104.26.11.184:443 bearly.ai tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 184.11.26.104.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.229.43:443 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 87f7abeb82600e1e640b843ad50fe0a1
SHA1 045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256 b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512 ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

\??\pipe\LOCAL\crashpad_808_RBNLDFQWJNCYEMIA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1 df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f914f40103b77cf0af8c70f024f3d4c5
SHA1 19c6291e36aae7ac9c9dae6f0c65727f01d8aa9e
SHA256 c16ef57dd89a088a5127ebcec543049fc827906bfa84e56619077ace14e85d0f
SHA512 eada041390ef5cfafdfb3ab2300ca55fe545b8fd7538f70f6d4cf7df4cd70a597ee2ee1eaa96938aab6af4341c6e6d8f5db74deb14c920ded00d782d0d08f302

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6e6730220accea5b24bc1f74f06e80a6
SHA1 7423d925ebc684df76e292afa0cf48490cd19340
SHA256 01167852305922a4bbe377968cf64842b62d26584bac9b39e544b4b89c3b1893
SHA512 57b3d874b3ce6ea681b599230f2bea798a3b00934626f628b53a5c3397b5b359f7f090005f4caa9038d8a3fd24eed4aba97e234657e76ece4ee626c1ce6c8367

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9f4d2c75896545ce1dc5b1b568af997d
SHA1 6b085585bd6e1fe984b0d2a35bbc61534af1250c
SHA256 85586db8d8a0d38b837b0f9eef99e7be33adde62a5e2a5217c6edc61b2eb2f52
SHA512 e9118e10a39c909af9e014b7a0ad21ba609082c789b4af4195549f4d6414afd60af7a285890222841e9a4c02cddee7dcffe86c070d4007958cd321f84cee02e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 70326e337a61ddee1dcd73352b918cc1
SHA1 d7f16a9c41e95ff90ba890fc43515d6878efe3c7
SHA256 e76a3b0cc02942884d8381ffd4a28d52e623cf7460c0bdf327d134ed82b4f0ad
SHA512 0f5befb7ed3e6a64f6cf13df802125cb0cc7f25de5b7a165538965e71b2fd0c303fe6f17719319f137a5bf57ce77da72a3999c4b0d414130a9fa31f57cf9cb20

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240508-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 220

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240508-en

Max time kernel

120s

Max time network

128s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\af.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\af.ps1

Network

N/A

Files

memory/2816-4-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

memory/2816-7-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/2816-6-0x0000000002890000-0x0000000002898000-memory.dmp

memory/2816-5-0x000000001B430000-0x000000001B712000-memory.dmp

memory/2816-8-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/2816-9-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/2816-10-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/2816-11-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/2816-12-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\ = "URL:bearly" C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\shell\open\command C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\shell C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\shell\open C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Bearly.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\URL Protocol C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 692 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Windows\system32\reg.exe
PID 692 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Windows\system32\reg.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe
PID 692 wrote to memory of 8484 N/A C:\Users\Admin\AppData\Local\Temp\Bearly.exe C:\Users\Admin\AppData\Local\Temp\Bearly.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe"

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

C:\Users\Admin\AppData\Local\Temp\Bearly.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Bearly /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Bearly\Crashpad --url=https://f.a.k/e --annotation=_productName=Bearly --annotation=_version=3.0.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=24.4.0 --initial-client-data=0x470,0x474,0x478,0x46c,0x47c,0x7ff69145dc70,0x7ff69145dc80,0x7ff69145dc90

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1996 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2344 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bearly

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3600 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3768 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Bearly.exe

"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 bearly.ai udp
US 8.8.8.8:53 bearly.ai udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 104.26.10.184:443 bearly.ai tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 184.10.26.104.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 o4504114762612736.ingest.sentry.io udp
US 8.8.8.8:53 o4504114762612736.ingest.sentry.io udp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 js.stripe.com udp
US 34.120.195.249:443 o4504114762612736.ingest.sentry.io tcp
AT 13.32.110.113:443 js.stripe.com tcp
US 34.120.195.249:443 o4504114762612736.ingest.sentry.io udp
US 34.120.195.249:443 o4504114762612736.ingest.sentry.io tcp
US 8.8.8.8:53 exec.bearly.ai udp
US 8.8.8.8:53 exec.bearly.ai udp
US 104.26.11.184:443 exec.bearly.ai tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 113.110.32.13.in-addr.arpa udp
US 8.8.8.8:53 api2.amplitude.com udp
US 8.8.8.8:53 api2.amplitude.com udp
US 54.68.45.63:443 api2.amplitude.com tcp
AT 13.32.110.113:443 js.stripe.com tcp
US 8.8.8.8:53 m.stripe.network udp
US 8.8.8.8:53 m.stripe.network udp
US 151.101.0.176:443 m.stripe.network tcp
US 8.8.8.8:53 184.11.26.104.in-addr.arpa udp
US 8.8.8.8:53 63.45.68.54.in-addr.arpa udp
US 8.8.8.8:53 176.0.101.151.in-addr.arpa udp
US 8.8.8.8:53 m.stripe.com udp
US 8.8.8.8:53 m.stripe.com udp
US 54.213.45.60:443 m.stripe.com tcp
US 8.8.8.8:53 r.stripe.com udp
US 8.8.8.8:53 r.stripe.com udp
US 54.187.159.182:443 r.stripe.com tcp
US 8.8.8.8:53 60.45.213.54.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 182.159.187.54.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

\??\pipe\crashpad_692_YMEFZCFDGPTIUNBX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Bearly\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5384186143ae4667

MD5 b571feedd7a6cfefa26b73514d57a7c7
SHA1 33d4945a08a2040a4707b44d21483cd00858cb7d
SHA256 bf7d1e5bafc682ba7bf07389750e4165fa3076e69625630998b4a528f5e6d635
SHA512 8d2f594f4f568005005f2ba23bdd67ccdfd4bf56ada577993aaed596c839263f223dc2180897b906d8a8e94fd060eccda97a6cc2f464bd507182db45f4a017c7

C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5384186271b57736

MD5 0c2bb92bc63d59da117b6542b8ca9edb
SHA1 1841f159e4e2074fd921877937016a21ff4f0f90
SHA256 dc011a83b38ed30c2eb64000cd76d92dd2fa807170fbe2dbab77bc5221471ab3
SHA512 8b4f251a74afe73a4c8fa003b5e0d65b33ac642567c73500783f1339e892fe76f3e524d5b56faf0bdff6a799c9581136fe33ac6fc1f135400440ce05abd57e9f

C:\Users\Admin\AppData\Roaming\Bearly\config.json

MD5 1ffb53e0bcfa1dfde7672728e3114815
SHA1 ec46721ab0c27d9e707f63c2ee748c954d775de2
SHA256 8e3ed5120a02820b427cb66f4f10c93aa4ca6415f332686b39174a6e04a70c76
SHA512 5aaabd51ac0b126c05d881e07fdaf1d82e86f5c6b5aea347ea53ea507fad953409e213ca0ae05bbf0921b478b595fbdbfada1eafd5ec39fbb9454434f0f5d424

memory/8484-1143-0x00007FFD9AF50000-0x00007FFD9AF51000-memory.dmp

memory/8484-1142-0x00007FFD9A0B0000-0x00007FFD9A0B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Bearly\Preferences~RFe57ad38.TMP

MD5 d11dedf80b85d8d9be3fec6bb292f64b
SHA1 aab8783454819cd66ddf7871e887abdba138aef3
SHA256 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA512 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

C:\Users\Admin\AppData\Roaming\Bearly\Preferences

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

memory/8484-1179-0x000001E995C50000-0x000001E99638F000-memory.dmp

memory/8664-1180-0x0000020083370000-0x0000020083AAF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d92a.TMP

MD5 f37d6ea802d93973529465588c508a07
SHA1 9dbf321582446b065d5fa8d323fe2ca10ae004ae
SHA256 1b975f267e01c478c01f1d2f834c73e9db74625af53a7136df95ebcaca675df9
SHA512 ba8886f1748349c394e1c2955bd118aa0f85a66a145a78e10d825627598f2b2d66b8c45b8f30198fa61f37980b904d0a2af3cc18bc42ee8ffe8f190b2f11bbd2

C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index

MD5 e1ceb65fbc852fa3dfeb4f9864367dd1
SHA1 01abce0bd9f84758ae986c19258503023b79bf47
SHA256 d81d1cb04d50aa4cb7b27251c28ef901dc3bc4e6f4d87a14ff8333a54a618c29
SHA512 93558fd5d1099be3fe8d0ea9f511ce60ec2aa6eaa36904c8ff40a8c2c686c079255c9dcaedc9a2aad044ce822154eb5635ae0a321fed410bc1470f8f2b214941

C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index

MD5 ce6897c93cd95c4f1111b09a38e1bf21
SHA1 8c841f0cf03159b3669eb14b4c718ca8bd134829
SHA256 d191f686ca767e379e3586dc685b574a8620f49c0704bc25bb3e808a5aae9ff0
SHA512 83c74930c8f950c991db356a35dfcfd1a13695ff839a9c8d79e114e014354e903dc888f81f3f4306792d1f44496071c035eeb3250df3ed7e74b7cfe091d8efb9

C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index

MD5 fbd5b9b6af3a0b0d113e3879b0360e95
SHA1 c859ce1236b83b6c35b61fd3b37f4ccc265de11d
SHA256 145b298b79960da361e959483ec621082043aacb7a570dee9d195970634fa5bd
SHA512 df46fb9fc022aaa94ba5cc059f2a460655cf607b693e1c32609c57f09fd0f32bf3415f3c7e80de97580d586f4bc2a992366e079c9b58b771ab7672220b0463fb

C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State~RFe589892.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State

MD5 ae9cf944d6acb598b79e83bf414d5cde
SHA1 243078ac641df7fbd144d16dfb9e868d0a991ec1
SHA256 43a936e84ff4432cece64e9ce209519a5b6d1c40589180c6ecde2e5ea0dcbb4c
SHA512 a1ed0bffccba660db234455cc88a8ce0532f94cb5cd2ba52e00d77a261faa078a08a24a54ec9fd3b11dd35437af4907d3aff119432d5523d58f45ee787006845

memory/5696-1229-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1231-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1230-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1236-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1235-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1241-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1240-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1239-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1238-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

memory/5696-1237-0x000001D38CD50000-0x000001D38CD51000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

161s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 2260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 2260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa5fa46f8,0x7ffaa5fa4708,0x7ffaa5fa4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f53207a5ca2ef5c7e976cbb3cb26d870
SHA1 49a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA256 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512 be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

\??\pipe\LOCAL\crashpad_5080_YUCHKRMAJXDVSLPL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1 a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA256 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512 e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7add51771e26edbd949b10260b7fd185
SHA1 fb77db6ed126a18df76fa1e9d2d59a40053120ab
SHA256 26ce6516901190dfab81609b045e46cad5670c0b420cd51d599833fb3e1f6108
SHA512 82882750244e565dbd5521add5d84470d388944df833b74442339897a92bf7fd5eaf38602ca8109bb1e7778fb26002b301934273bd45f72de71e867769ccd65c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cf282f2a3ee3525a50d1313218a16d9c
SHA1 b4f8de6b2148b6e530dd736f8fcbebe18f9ee165
SHA256 42da710967d0b8a5243b8a33ec9bf3f6ec0d2c7e2cf295831965bfc6790369c2
SHA512 b9ca6b0a1c50e5e113eb9c956a455072ad848f4e1b7e624d75487dce62234e4d9ca304c9e1996b38c3e517401729828834e347b1789459b8e5240e6d83429c18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 baae728a08471c18aab47aaee50f6eea
SHA1 ba31db4f65a9f59a3853c7035b0f65b67dbf4471
SHA256 d83fb70b1584d964fd41c483a53f948cdd5aaf06ea1652802f3a1b296c78d33d
SHA512 5ba2e85de0045f2ed878fe4c48c1e563451c507a3fa7d20d2ca25b299d94e736187fd0359e142aad9d194b7a6c8b133215e618dbc72db7642cec49483bd7bff8

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win10v2004-20240508-en

Max time kernel

119s

Max time network

159s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x47c 0x4f0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/3960-0-0x00007FFBF7583000-0x00007FFBF7585000-memory.dmp

memory/3960-1-0x0000023A3B4B0000-0x0000023A3B4D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bb0mp5uq.de1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3960-11-0x00007FFBF7580000-0x00007FFBF8041000-memory.dmp

memory/3960-12-0x00007FFBF7580000-0x00007FFBF8041000-memory.dmp

memory/3960-13-0x00007FFBF7580000-0x00007FFBF8041000-memory.dmp

memory/3960-16-0x00007FFBF7580000-0x00007FFBF8041000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:39

Platform

win7-20231129-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1988 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1988 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1988 -s 88

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240419-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4224 wrote to memory of 536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4224 wrote to memory of 536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-10 23:34

Reported

2024-05-10 23:38

Platform

win7-20240508-en

Max time kernel

119s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A