Analysis Overview
SHA256
f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7
Threat Level: Known bad
The file f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Unsigned PE
Command and Scripting Interpreter: PowerShell
Program crash
Enumerates physical storage devices
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 23:35
Signatures
Privateloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win7-20240221-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421546053" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000d06b2008479c47cea5649b30e078590a077e3640ccb47f0575956870d0d9a13c000000000e800000000200002000000009f747b7c57cecc363cca59c384e13555dd45f7268702ce2273580411e1f8e6820000000675234d6fa74429570f2e57d97fb34e5d9c1ca8ee75da3c542104fd512d2d75240000000ff5de1cc278aa520d431e38b505232f362ec4bcf12d453eece666e9e2e8b407422a3687dec0a212848aeea0355de379c714c9255e721032ad4c2f850d794a21e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E205CD1-0F26-11EF-8A7C-66DD11CD6629} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708c17f332a3da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000002be3d44cde65e40d0a65534e690cfb91c741374b6ba0dfdbd45103d2a5c83ecd000000000e8000000002000020000000a1c198492518e975d400282fe29cef6d1deefc1ae6afb2bdd3ff91721bbe65e090000000490acb9c25e00c00fa9123bd2f76b0508a903b7e1126da70f55f1c0dc12b68ee06443819c305c94455bc520e7fae1def7cd35a4cad3306a9d25fe7f2c048224bc668d8b3d009f8fdeeb007e9c112e45427acb8ae95293a376c592a372945dea6be9f547c25991f58207f1314b51a754c335752bbb4eb0dd7e2fdbad0c8f3d93aacdf1a160c455c26841246d6ede06bc34000000006451eea4f2194a5599413c768abfa4f00f3f7849a44e462eefe5e50bcd10ae1c9270b5fdbe72b8efc813d1f4af2cc36086013c9bcc2c48223e711174232a0df | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1900 wrote to memory of 2984 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1900 wrote to memory of 2984 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1900 wrote to memory of 2984 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1900 wrote to memory of 2984 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab3842.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af979a51bb2cdf484b3c911e7b7915b8 |
| SHA1 | 3eca56e9bba31bdb05659d7b17c72292a0e9b685 |
| SHA256 | c15aa6b6c8e8891e366c22ed8b5fc7c4bf18a4e2bd0cd0fd426f7bbadf21598f |
| SHA512 | d14a8d4663f49f478543db7a4b02509f3083960379cb166ada4d32b24345c03a5ae4dee06d982aafe39c6bab6822a62285957d704c790c7751aa67a2afc211d6 |
C:\Users\Admin\AppData\Local\Temp\Tar3915.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b8d1a302d67270718e6df030e852669b |
| SHA1 | 22dc4509eb733c3557225705ac4400e9c1ad0436 |
| SHA256 | 62bc556880b188688c4e1c0f0049c14d8a9b8c66dbd6a806e69ef736f625326b |
| SHA512 | 3c66d4d317ca575e65942b45ddef7a712649357909c34427ea6df8b41b8984362b634945b65b23e04c95b6cb144d6262940d1859a257b14b1eb55e1f6792e584 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 384639e9407458f8ee8d078b5aeff476 |
| SHA1 | 3c537c5030d6d2564726d026d231462d1882c3cf |
| SHA256 | 666ec5aae61dcbbc42c3873cf144d81bd1e732465929adfc0aba1f80c4dbbb3e |
| SHA512 | a3cc48b39f6a5f8073f083bb4aee2028eccb49bcd6aeb37e5b9ff8d97eb01f84d3c857e5da16e781f6a21c61182cecdf8e394db22b3550c684e101327c0af3b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74cdbc5524765521027631f8bf5865ff |
| SHA1 | 5c076b9ec6dc0f51c96ebcf16a774b09e787155b |
| SHA256 | a04b0ba9f0a785e19ef99529c0166e4aee63e03b480840abb5b1121ecd908122 |
| SHA512 | 7766e98ec49a6393e8b6f2022875f2e007b86a22276033dfec110843f113c53942c9c6e557bb8544c643004fd1ec99e853d0fbd9146c086f1ec10982fe317656 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c450486370331017c55a4ac35850c353 |
| SHA1 | f031df7b9cd818a79da7f27f0021324913513e23 |
| SHA256 | fe15e4c6a851e96a751c716b179d31d82f841c5dd76d1a861fa49142dfc089e0 |
| SHA512 | 207153961c5ab05e1e10b6f8e9bb598cda245368a996e6e9b72c13a2375cc99e8037f49f604175c374c657323e2ccc6e77d9d55eeaa483a68190061338e28eb7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b246cccffae61fc3d318204cace1aab4 |
| SHA1 | d8eb8a895742819ffaf37e4f34351f252ce99b48 |
| SHA256 | ce4e33dff2af33098a2a1a13fda58df1518b38890f0640c1ee3bab93b7963b2f |
| SHA512 | c12e37dc8fa3454ec7d2809de09bb5e602473c48780283e995893164c26594e448ea01ed3c7f2865a1d91d5c9597d4253e4d09929519b97713ecfa56a1c13656 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a1825b933b94f6ef20ab8a05f82ef46f |
| SHA1 | 5e9d5f292b5ca049593edb59db868b63af8a8f04 |
| SHA256 | 87953e039c12bfc3c42676e4bd746ef15120e9b2ab8626bf38e7f66c6cc41025 |
| SHA512 | e9f7478e4a23ef30477cfb56d1a96cd401a655664357a1dfde67501368fe85ede3e74c86a4384df9346c1a9b0ed9e45f4b18a16f77de2579c787a940d400fb88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eaf22ac198e16c81579ea91ffb101307 |
| SHA1 | 314665c327bc14a242d403b06a7ea951d4cf0ad6 |
| SHA256 | 1984ceee3f28aa736e88305e5daa631cde8e88ff42cfbf0c4a4b2769760665af |
| SHA512 | 9e9112566e63550aa88bd44ad301f0749b027a50220dbdb75deed3db3a6097ce5fbb8bd6130549c7f7c374a28472c8d65697937b3fd97a12c654024c02a77457 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a574f010470051e61af0ad57e7a7e62e |
| SHA1 | 7db8174c297faf4ff35dae9ca02264536a1c641d |
| SHA256 | 76587fea30e87f7889b9450ec177518c1573ccda42e42ad56635656a35bd5eaf |
| SHA512 | dc8bb9917b7d14287aaaedbabf14bf8cc53296ca14e446769419cc78f80a7f3957fc63ee1d5545b33416b34248d3889aca053e28c5eaca04699f05d243840287 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3680698d352226e2a66a2dc53c25c8e3 |
| SHA1 | 744b2cda8ed1ab88c91778d16b835bac81401188 |
| SHA256 | 04d0e9daa44e416a374875189f13a16413a65b00dd9836ed5aef3bfe37d07621 |
| SHA512 | 7bbd1cd91ab84e0b4d43cac2eb21c7375ab22b1fe48a03f9dd1e6a9e3342809112cecfbddad1b6dac43e407a495f5403d45ba147d1d4c41e9384561832ca0913 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4bb5e8132140f6f6102ced26588dfdd0 |
| SHA1 | a42083ee492a3deb67697c9e2ecee8462396344f |
| SHA256 | 17475b8d39550bb3bdd378ee795d8741be5e6388082e53f09278c7f872ab1167 |
| SHA512 | 25f94faa3919bf7922255d0f4098898f68cbb93374970a166c9afd7e37ae297fec52ddd7b277d2cada6485ee19fc2238c4420c4801b32b471bb6895e7b437ab5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 51c328594f0a0468cf90e74bd85ad88f |
| SHA1 | daaf1a79ba290a1c517b70c9c01c728182b621db |
| SHA256 | b342ede5f452e3ff590c379377ac223bb985fc1cc8dcb777cd4f2cd38aedaedf |
| SHA512 | e6dd2f893e85eb26f596d4b1415f2fb6c48524d57a2640f05289fd5c5dd16576b8b7da252c62a1e2b60268f8c5a85fbd83614e22cf12943fe05efa910b95b1c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca02f48920101d180f147b3dd35445f6 |
| SHA1 | 0ffe00d3d922f151e97ec0ce118617e951e3783c |
| SHA256 | cbc8878fccfe248bc9aff17266fe182786aa8c0e0a36f10a95ad954d065390e7 |
| SHA512 | 90e3fb81756e79341928b80a74d9cdbe90148b7b0cd84577a32d0159657c376712bd60a53641b1e6cd136307c0b11eb27c94ab1c0631cad3508fae5e786865df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 72023de95a5c6704ac81673d7480a368 |
| SHA1 | d61fc29e579925db2b6c229dd44f05fc13a82ecb |
| SHA256 | f1b52bc7cc700e87b26dca068905a32b000a1c5d70b1d481e348daf9c68d8632 |
| SHA512 | 97d88b18a78217cd9d00c790bb913f1f6e70870e32674422727b19f7a785272ef50d64a268d8281a763511af7fb54c17714341149cafe38e63b7179f7d3d3aec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 764ce7d9fcba9adc6cd3ebf593074235 |
| SHA1 | 26a444e39a35472f404ad6421870e7914b56df7f |
| SHA256 | 5406631bcc45ee034b7db2db94f9d228f158228411e2f9d44a7d498f3b3f98c8 |
| SHA512 | 695853ed569c800b6970ca59602def2127adc5c77dd0d9da0b88fc2424d9600fd2d1358ec9910d6fda2c00db5418311f167b6c4ab38348a876feecbb70d2ec1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0f38ee1d8b32bc677ac62e459fb11d1 |
| SHA1 | 437053724686fee18d2281be96018b11fde9a900 |
| SHA256 | 047de33ed96c0f93cd6dfcb1b1f1e1bee4cb3ae9a811f19be2d5c1eca597f2c8 |
| SHA512 | eb6b7cd7355e562909862cbeb2e762d40b61a6f6cff567de2fa99866d8e610a4ed5ee8a832e074c63226dc0b6eb696b47174751653191cae8bc1472ba9f4007f |
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win10v2004-20240508-en
Max time kernel
90s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240508-en
Max time kernel
88s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240508-en
Max time kernel
90s
Max time network
158s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\af.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4084-0-0x00007FF8B1F83000-0x00007FF8B1F85000-memory.dmp
memory/4084-6-0x000001D7A89F0000-0x000001D7A8A12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjn0irqe.cgz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4084-11-0x00007FF8B1F80000-0x00007FF8B2A41000-memory.dmp
memory/4084-12-0x00007FF8B1F80000-0x00007FF8B2A41000-memory.dmp
memory/4084-13-0x00007FF8B1F80000-0x00007FF8B2A41000-memory.dmp
memory/4084-16-0x00007FF8B1F80000-0x00007FF8B2A41000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20231129-en
Max time kernel
121s
Max time network
135s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093935c775445a84fa873849a47fa3db9000000000200000000001066000000010000200000003f8f452e2821dfa383c51281a314a054ad8aaf7f8bb488fd5fbc1e3c9ae329e6000000000e8000000002000020000000b09c1143930b20c51030ce4620a96bedfa97d2c37b8e56afcf3f67927e6b612c90000000cbfb19e14ddbfa0c99c8281f2ec5d443bb7de0d4b9f7b95a5691cf16b700cfccc790604a578908440f67e9e7315ed8a6624f86b72e1b5c689211b21263e4c75b8586914c8635c6fa621635ad60083830c739d6705a72de5f31f5b5a998bc20152669042b56628eb1f5c1e3b23a609fe9658038c6582489624e71fac5ae3a88fed27568d8ada1b634151b12555bf2f4fe4000000090b8df22af32e22d5771c9c10c62e32105f69e9ba5e7916ae809ed46e17f4fab653d380dc34ec3e4e3511867fa05cf26b03456fe560c1192179f2e32435f60d7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d7b8ec32a3da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{182013C1-0F26-11EF-BF0E-72CCAFC2F3F6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093935c775445a84fa873849a47fa3db900000000020000000000106600000001000020000000da3f04d786938d04b3b0829214f6c8f4e4f6f065375f42b268af86b87f298d6f000000000e8000000002000020000000188c3d04f6141f952c36051822efc253f87ed2097c9a43391930911f761f989720000000b576b651b8aba03c32cdc78aba7fac6b15f728cd1db229ccce2baa83846f982d400000004f7e678be223e77d5f45b53c22e1c2355b9a60d1751fcc7fe5fbd88d1fb04b7a6e0b0430cd09a46b2abe0952a2b6cc04e4888fabb2cdd43d03361cc2e75a112a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421546043" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 1712 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2104 wrote to memory of 1712 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2104 wrote to memory of 1712 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2104 wrote to memory of 1712 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\resources\dist\pages\cantLoad.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 23.62.61.155:80 | www.bing.com | tcp |
| NL | 23.62.61.155:80 | www.bing.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar4BD5.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 450f5617b586bb1fb4f545b4f4431149 |
| SHA1 | a0c092fdccbdcdba7d1257d90deed6e3b352ffa9 |
| SHA256 | 2a2f2f199659b390519a8ab224441b7004c67f4fe63f1fd77c0fd46531236a00 |
| SHA512 | db0946d767e56a4fafc5dd990ec4f1f7aea1350ccca4c6c809a13ed162a59641ac3a865a590bb63ec9fc6e45cf7d8f782e41b94db5063db528c2605fa8b44ca6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 76144f286cf180cd731c6db637f691fe |
| SHA1 | c7c929e8ff99442860ce8339ce827c9af817c7c5 |
| SHA256 | 3335ea9ad8a9317a851481fc126e7e535daf1b56d110e25f2382a8d1ec41acc8 |
| SHA512 | 26136247b51ef7b4c8504885ec47ec1237b26223cd5442d8664a2de7e4319b825a521a4b116b9171336b714b63cae9b88af3062459a778f97521f39068f11401 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 300ef5baf82eb73817d038c904e70d01 |
| SHA1 | 25b6625f76177b3338678891fa9d67c2d0e54cd9 |
| SHA256 | 1826207ea102655ca12245d044d2aab663227b57473f65b898278dadd9cc314e |
| SHA512 | ff72ebfdf3578a96c90babcb8e246b3d5a161002135ab44d43c055465539c28faaca2b052ffdb0215972f4621e2dc59440de89166c360f6b443ecd0e9e26a17a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a9f7eb0b46423f5b62bf09996780d0e |
| SHA1 | cfa5bbe6e842777664534f261e4a5271bd82ce99 |
| SHA256 | 26b13a8fc6145475091b582441cb1d10e5896ce0af860bb716c07de3b8806c0e |
| SHA512 | 935ba08a6c0409c9c7a69240eafd896c6d0a4bb99af106c47de5439535e15d6243a3a1059d2ad2d6146c0cad0298346b0e98805f338e99950b4550adef5224a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a5069d690b0914bac00581d0acebd48 |
| SHA1 | 5159c5cd5de62d7447b450c3762b6a69463f15d3 |
| SHA256 | 36831c17e10901d949997cd9a41135b5c006680f9c3bdc5d798f735e86e316fb |
| SHA512 | 0cb7e5849be9e366ccf56cb5d4c964cbfe7b2bac88a4358685434a150385687f92e359767496c16e6d790012ad2d301d01ec1709ad7ba9e9baef4de6d7105eaf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b73ec6d7ef2ac832e2ca054dc529b32d |
| SHA1 | db4469eff70c547879253654e6ce053ed95c3e06 |
| SHA256 | 9af7cbdd68e90dc560fe2678514b120677353dbf132e2579826afcab4ab815fd |
| SHA512 | f3192bde9574be926d342106f60f999e35d79a997fe6f5560d9912f9d88bcfba4bb93b69e9609819ff914f2c98a1c2e0cd87641c0a4358210fade90dea9265d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5f5fc924bc1df5b3ab6095171087822 |
| SHA1 | b11d54053bec1020bd31518a540eec26c0c4fbe5 |
| SHA256 | d6a370dfb877873dd6995dc1a3ca4ec1d1887ff1c8cc9b5ddbbf5e0c8e45c938 |
| SHA512 | c07e28c28e1f3876e9f43f833276b6cbf4a942b8bc09856e287e5dc7541efe456247c534bbb707c635522d3ec0c9d9a6dd623e4b2f6810a466d53e526b8ec337 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 9a44fda37b9d5d9549f46a50be7b788d |
| SHA1 | 6bde84e4bc29a0e34dd97bd5d6f49c93539839ee |
| SHA256 | aa7a75e6c979a1248bbe1fc6f6509977e6d3d21cfe0b54327f11de340ab1457a |
| SHA512 | 3570377fb755c9dc59f7189bdd2ac5e98fb34d940bba9a7919e47325d5cd90b355539fc45dab109e02cb5023687fbbc6a11daaa178f6fea40dc7190aa1fa3f27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8db2183987819ca83969ef1e9d5983e |
| SHA1 | 7a8b89165e818c98f1520c1b0e3a8d9cc97546c5 |
| SHA256 | 9eca002dcf028c4dc793217bdc7678a7d4b1c8139b8fee91aaa7255de11e01e3 |
| SHA512 | 9bf6f1b3014f3f1e1a19bca953510353d0e797de4412768acbc1be4b58f7563e651b45b4d381ddb4a51d4f1c399306472018ee45046acd2fd659c4e36bb7d9fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 56f88bb4a06954f1c09ab52c03ee0086 |
| SHA1 | 1527b6f95c23e52fb568474d166ab0381c13879b |
| SHA256 | f1e3b97ec875898b46d32232cc847a87eb719c1e62e83af32a5f13ab0981f91c |
| SHA512 | 59957502261e5f2753883aea4a28ed79a0c20df2d4b03756f71c81ac3eddb730df6f01bf37049af0c061aa70bab18b8f0ec0e7241e2d1ea4445f996c979607a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cdc977b7dd1a04e0931367ffaef51943 |
| SHA1 | 004b7a87db52375248aef68e6f4b04626062414f |
| SHA256 | bb43b38f02803f7d6d874092cfea7f817a8586a1d7e9fcfab1680bcbefcfa636 |
| SHA512 | 5c975c3fc49051a7ccde62a94dd1e8ef5712c895548579f49318560a8aa609736f5a7ec4412cc658e29b39d179851a36f350a385ade384b98c0d70e478c6267a |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a0440069e4a8b5ea256e2f08085c1c4d |
| SHA1 | 4eeda5f4ffc5b7e05a5464473111fbc3c324cfc7 |
| SHA256 | 4dce108c8ac611b6870fc57c62cdc6ba1ff6db64b4475def28111ef8bceddddb |
| SHA512 | 21d1d8776d1ce9f30e9eea37c176e0cb466a5dc54b6019ccb057f2f6353c8a665497b8a7ae9f48b37293e0420ef53bece40ee0e0cab27bca1d9c2c8d4c030fb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 02cd5ea9724ce2d3687723da9a6ba223 |
| SHA1 | 644c922e5687e09386d482f851c97ba952808b41 |
| SHA256 | 84018f6b79513c86fc4d6b032ca3aece859b4f93110cbe22c462aeca89d2d57b |
| SHA512 | cc0548b5e7ca71121a4555bbfb1589d53d622a8a9b6b131df249ae09768a46ca526f3dfa7aced4abaa6ee3e2866d0b9240fa490600f9de05294d903e7f97ba65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 257ad37f5fba6754da431c09de5ed790 |
| SHA1 | 945a5de317794506d0e9a7b59f1eef8d9ab6cc02 |
| SHA256 | dbba9354f9a4b7a88d60a0963fdedc6840ceb262807839714198fdfb38db3f1d |
| SHA512 | 3db9c0978875c15250824cfc7026dff934a8c6ac27a9b4cca6f42c029c12c4bf444b7ac2b656ef9819595fcdd0151e737cf0f50c1e80bc30920c8ffc600dbad8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a7a70bc857893033fdc7471d11326d7 |
| SHA1 | 9c406a4993b47976392fe06b28dc79c3da2e46b2 |
| SHA256 | d70040ba1e21eb56d93e72d26053ccfb1efe7a387f1bf9d12ef0c7a46582f441 |
| SHA512 | b5627225f19401c8c50bf9e375b29abf34c686adeaa87e000368d18bf87594c3d6fb4c90f5854925ee724281d7a426ff05e9768d0c476c8a7807d4fc86cc7bc8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cf0303548c8b13bfdb6c1f4b66ee87c |
| SHA1 | e3c822d26faf634b9d393abc231845fea80e3745 |
| SHA256 | ddc8dad30e476b96736f8bc8dc6fb53830fa6b149cb9726b3674e382c6b7b02a |
| SHA512 | f15d2572a2bb9b39744d27086b57f529ff6547cac54ec7d1ae197571aae370721ab451fe1106b90dd38708d0317e1a6ef58dd6367e036bc5aa2c7f90e4665e5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 265eab77349adeb4f46550d5d2f2320d |
| SHA1 | 7ee7b119fd5bc990a328f2c61b0d3c7cab1ca80b |
| SHA256 | 775b9fecfd5a8e00369ca54c7b3a1d1bee2209260176d22b06f6d576d891f803 |
| SHA512 | d4cbf14fbcc0a051ee08238b2988c53e717a476ac58a9805b528fc6f422659f833079bab9e36bbea390d3c9339bf2f56449f587f7f399ab626561b5ed9b1717a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0269c5da0daab297d525ff24c8d1fabf |
| SHA1 | c5836b7467387b3acdcfda8154517852ed93a9d9 |
| SHA256 | c042f1a3f15da0b6d555e40c53b85aa54dc9c9f459573ed3ed9c7dfc353b5c47 |
| SHA512 | 9832a502a41cfa7a1e8584e4afa2e41ad30f64f4e3a6a09d9d7a584b51dd6b6b3f37ba9e534868c49b914ec9ac35647081e1605b2081fe46f4ffe36d71115b1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbe41355b58d29fddc736a63968bc527 |
| SHA1 | 8b772e27689fb3b4fa4dcaa3bae174aff5fa38cd |
| SHA256 | 45ee34f4f6abaea5359fa21ff14db53ae795fbca8736ed58dbcc5cd2f3953f29 |
| SHA512 | 48878d7d3f5057702d581c13cda00f46204e672e47ca7b328c959fd10a55e32a15cc49ef6d0b434a163e7b6dcef8c72d4e74fe9a6960cd0a6f79e2ab5256cc87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c2b64cd46b84fe89f3a20873d88d0c0 |
| SHA1 | a1ef7dbb524cb2309e4f92e2e9b6fe9218f5a8fb |
| SHA256 | 5c26f4aa9f56a73216551015cdebee824a2a00d000692347ca3e08a57140d40d |
| SHA512 | e3506485c185e60fd68c260a0dbc52334edbdb83358c691e90f5a6144ed0ba7ef1290717526308ce4d23759e3cfedad4b50f83af700c45cb72098575e82c789e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0aaf862e54b29b7d121452efa2390466 |
| SHA1 | 5e57923d2cc57b09ce238189dd3eac83f5ac6e28 |
| SHA256 | 7f33479995f8865640804f78e095b424e2bb1b9b08a0a714f0e145ca5d7af0a3 |
| SHA512 | 0b652ba790664dc9d75b01d37105d8af937f9099c62f26ad73686c9e493458e97f32e9ad50e698e447d1118f977efa7ef41880bc15c9c173b29596c4ceaab10e |
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240221-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2512 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2512 wrote to memory of 2508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2512 -s 80
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240508-en
Max time kernel
151s
Max time network
160s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Bearly\\Bearly.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\URL Protocol | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\ = "URL:bearly" | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\shell\open\command | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\shell | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\bearly\shell\open | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe
"C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Bearly.exe" | %SYSTEMROOT%\System32\find.exe "Bearly.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Bearly.exe"
C:\Windows\SysWOW64\find.exe
C:\Windows\System32\find.exe "Bearly.exe"
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe"
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Bearly /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Bearly\Crashpad --url=https://f.a.k/e --annotation=_productName=Bearly --annotation=_version=3.0.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=24.4.0 --initial-client-data=0x47c,0x484,0x488,0x458,0x48c,0x7ff779e1dc70,0x7ff779e1dc80,0x7ff779e1dc90
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1820 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\Bearly\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2384 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bearly
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\Bearly\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3636 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\Bearly\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3664 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3392 --field-trial-handle=1776,i,3683799078131096929,12864781374104757647,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | bearly.ai | udp |
| US | 8.8.8.8:53 | bearly.ai | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 104.26.10.184:443 | bearly.ai | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 173.194.69.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.10.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.69.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o4504114762612736.ingest.sentry.io | udp |
| US | 8.8.8.8:53 | o4504114762612736.ingest.sentry.io | udp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 34.120.195.249:443 | o4504114762612736.ingest.sentry.io | tcp |
| US | 151.101.0.176:443 | js.stripe.com | tcp |
| US | 34.120.195.249:443 | o4504114762612736.ingest.sentry.io | udp |
| US | 34.120.195.249:443 | o4504114762612736.ingest.sentry.io | tcp |
| US | 8.8.8.8:53 | exec.bearly.ai | udp |
| US | 8.8.8.8:53 | exec.bearly.ai | udp |
| US | 104.26.11.184:443 | exec.bearly.ai | tcp |
| US | 8.8.8.8:53 | 249.195.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.0.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 151.101.0.176:443 | js.stripe.com | tcp |
| US | 8.8.8.8:443 | dns.google | udp |
| US | 34.214.238.153:443 | tcp | |
| US | 8.8.8.8:53 | 184.11.26.104.in-addr.arpa | udp |
| US | 52.33.51.5:443 | tcp | |
| US | 8.8.8.8:53 | 153.238.214.34.in-addr.arpa | udp |
| US | 54.187.159.182:443 | tcp | |
| US | 54.187.159.182:443 | tcp | |
| US | 8.8.8.8:53 | 5.51.33.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.159.187.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\SpiderBanner.dll
| MD5 | 17309e33b596ba3a5693b4d3e85cf8d7 |
| SHA1 | 7d361836cf53df42021c7f2b148aec9458818c01 |
| SHA256 | 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93 |
| SHA512 | 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\chrome_100_percent.pak
| MD5 | acd0fa0a90b43cd1c87a55a991b4fac3 |
| SHA1 | 17b84e8d24da12501105b87452f86bfa5f9b1b3c |
| SHA256 | ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b |
| SHA512 | 3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\chrome_200_percent.pak
| MD5 | 4610337e3332b7e65b73a6ea738b47df |
| SHA1 | 8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b |
| SHA256 | c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c |
| SHA512 | 039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\libEGL.dll
| MD5 | 6426112edaa62ca308f7f32d26d4f6ad |
| SHA1 | 3edfd900da6a5fb1c67c41e18ea0ec9a2752ba2e |
| SHA256 | a23882d8555d8c3f1d27ba39b0225d68bc446e250d19d36aff4ef65d221458a3 |
| SHA512 | f967dea3f18ab81c8ca72b722962944b9a874cfda4c95237e96b1e989ff3657a087957c1ff2c374616ed2e49a75f2786174ff8972a3447589468dfafaf4db582 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\libGLESv2.dll
| MD5 | b7214621f818dfe440ade5b2f3619519 |
| SHA1 | 4b95d412e49f2e4c3ce71e10b2d76df3ab63547c |
| SHA256 | 59133f095f941eb8d6b3613fd08b98e6d84e8290f3f72ded6d98c8683582f188 |
| SHA512 | d8195862a8d6ca8de5aa4096ce1feabda3f8375279904124e80451ef22d1ae13e4de35487afe36996d0b51edc16c48ddda03c5c2b14f4bd5e465ed48e9e3d29b |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\icudtl.dat
| MD5 | 2134e5dbc46fb1c46eac0fe1af710ec3 |
| SHA1 | dbecf2d193ae575aba4217194d4136bd9291d4db |
| SHA256 | ee3c8883effd90edfb0ff5b758c560cbca25d1598fcb55b80ef67e990dd19d41 |
| SHA512 | b9b50614d9baebf6378e5164d70be7fe7ef3051cfff38733fe3c7448c5de292754bbbb8da833e26115a185945be419be8dd1030fc230ed69f388479853bc0fcb |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\ffmpeg.dll
| MD5 | d8cd1aca8dd3a91d0bf32da2e746545e |
| SHA1 | 6a28b357d93fbb3502bc386019899c9f3633b069 |
| SHA256 | 5b831daa8515b3d1f346b481ec04f881a3fe728944e966624489d3a3872a40bf |
| SHA512 | af70b88194539cdebf353df0927671babbd51f3cdb304cf31dc5c29d65dea1e38136d7389ba48aa0829855d62eeb740f3df12ab981153c7f2eb70ed1e74fbcbb |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\LICENSES.chromium.html
| MD5 | 312446edf757f7e92aad311f625cef2a |
| SHA1 | 91102d30d5abcfa7b6ec732e3682fb9c77279ba3 |
| SHA256 | c2656201ac86438d062673771e33e44d6d5e97670c3160e0de1cb0bd5fbbae9b |
| SHA512 | dce01f2448a49a0e6f08bbde6570f76a87dcc81179bb51d5e2642ad033ee81ae3996800363826a65485ab79085572bbace51409ae7102ed1a12df65018676333 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources.pak
| MD5 | a8502a5d32543474520dd8cf1a871b60 |
| SHA1 | 4b2b4e61a8105dd9583c12e9adfd307c113907c8 |
| SHA256 | b6420c40d7d9b4971f6c99a3fd108e10c7e4e6bb95fa655a5a1b00ff2bab36dd |
| SHA512 | c73e578d9b8a990ad11c218c096fc8d8a5d283a3fee4388ef40b4140e14504498f3e376b4b86d0d789dd9cd1dc8957d749a86f59cdf199f85daa28490c129658 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 5a072b0edc88a0b18e1c56a307a341cd |
| SHA1 | 20ee0b6521e12dfc4f378eb8d5724456e22e90fd |
| SHA256 | 878046ea578d24595d060583cf8f9618aba37d23c603499068e5762dd5509aa1 |
| SHA512 | c3a51850d939eea9b5d8926795cdc3e56962ec9eeabb3b80ed62a9c77ae5d6b696528d03a469c212b99d83ec303367f3353cc0fff459e7e577254f037f8fd995 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\snapshot_blob.bin
| MD5 | 840169fda65be2a18c85e7dd44ec6051 |
| SHA1 | 5080736e613be6e11242d37adef740cac0bf8cd1 |
| SHA256 | 80e58621229b4cb6104ce7f65ebce979a6ebe3eac750447d037660cec34ad0b3 |
| SHA512 | 2e65ac47ff05830eb0942288daf66468fbd34a1fbc1010f0bcdaca873f4d110ae8f88e825dec7e86dcd7b11dee7a003c29350e3377abd9f886b028cdbb830644 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\vk_swiftshader.dll
| MD5 | 3eb74d173ef00f7c510b11e61c5ab52f |
| SHA1 | 13cfe224f966145d7f90640b080bef5dd4d0ff42 |
| SHA256 | 0749491928a69673f17d39eb674f9a416e789e4fddec48ebb54714914343b48a |
| SHA512 | 423ab3765aa01cf39fa31d068ddb761ad93707cb06f57b4e674311c91c5cc9d238c231d1e6882f8d3525d16fea0d8f8db8d0a74bb55309f5a120cbe4a34e40bd |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\vulkan-1.dll
| MD5 | 8439213fbb22a848ce814982d502bdc4 |
| SHA1 | 6c5831de36a539c0689410b00f1b8aa1dc6f7c2d |
| SHA256 | e69f794109b12523de314a471c56278cd921be58facbd18ec351685d15894cc0 |
| SHA512 | e4e570e5b98420d99634167e0d9f920cba27fc4b8e91c70cc4e5b33a4b3299a69ce9b294aae538aeb150135378978a6c7b0644a645b797ab230e185593c828c0 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ar.pak
| MD5 | 56f6dc44cc50fc98314d0f88fcc2a962 |
| SHA1 | b1740b05c66622b900e19e9f71e0ff1f3488a98e |
| SHA256 | 7018884d3c60a9c9d727b21545c7dbbcc7b57fa93a16fa97deca0d35891e3465 |
| SHA512 | 594e38739af7351a6117b0659b15f4358bd363d42ffc19e9f5035b57e05e879170bbafe51aece62c13f2ae17c84efb2aed2fc19d2eb9dcb95ebd34211d61674e |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\am.pak
| MD5 | c6ef9c40b48a069b70ed3335b52a9a9c |
| SHA1 | d4a5fb05c4b493ecbb6fc80689b955c30c5cbbb4 |
| SHA256 | 73a1034be12abda7401eb601819657cd7addf011bfd9ce39f115a442bccba995 |
| SHA512 | 33c18b698040cd77162eb05658eca82a08994455865b70d1c08819dfac68f6db6b27d7e818260caa25310ff71cf128239a52c948fde098e75d1a319f478a9854 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\af.pak
| MD5 | 7e51349edc7e6aed122bfa00970fab80 |
| SHA1 | eb6df68501ecce2090e1af5837b5f15ac3a775eb |
| SHA256 | f528e698b164283872f76df2233a47d7d41e1aba980ce39f6b078e577fd14c97 |
| SHA512 | 69da19053eb95eef7ab2a2d3f52ca765777bdf976e5862e8cebbaa1d1ce84a7743f50695a3e82a296b2f610475abb256844b6b9eb7a23a60b4a9fc4eae40346d |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ca.pak
| MD5 | 01acd6f7a4ea85d8e63099ce1262fbad |
| SHA1 | f654870d442938385b99444c2cacd4d6b60d2a0d |
| SHA256 | b48d1bad676f2e718cbe548302127e0b3567913a2835522d6dd90279a6d2a56a |
| SHA512 | 2bd13eca1a85c219e24a9deb5b767faa5dc7e6b3005d4eb772e3794233ed49cb94c4492538d18acc98658c01d941e35c6f213c18ac5480da151c7545eedeb4ab |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\bn.pak
| MD5 | 8feb4092426a0c2c167c0674114b014d |
| SHA1 | 6fc9a1076723bfaf5301d8816543a05a82ad654d |
| SHA256 | fb0656a687555801edfb9442b9f3e7f2b009be1126f901cf4da82d67ac4ad954 |
| SHA512 | 3de40bdd18e9e7d3f2eceebf7c089e2250ce4d40412a18d718facba8f045e68b996978ef8b4d047b21d3424094056d16b5abb81bd0507f446b805d6b889522a7 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\bg.pak
| MD5 | 945de8a62865092b8100e93ea3e9828d |
| SHA1 | 18d4c83510455ce12a6ac85f9f33af46b0557e2e |
| SHA256 | f0e39893a39ce6133c1b993f1792207830b8670a6eb3185b7e5826d50fea7ba2 |
| SHA512 | 5f61160ff64b9490a1ad5517d8c1bb81af77d349541fed5045e7f6e5053b7d79b7e8f114630bfbe4d5af30258f70a6569462bfa39ccb765f8ca191f82ee04f3f |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\cs.pak
| MD5 | a934431d469d19a274243f88bb5ac6fb |
| SHA1 | 146845edc7442bf8641bc8b6c1a7e2c021fb01eb |
| SHA256 | 51c36a5acdad5930d8d4f1285315e66b2578f27534d37cd40f0625ee99852c51 |
| SHA512 | 562f07151e5392cbffb6b643c097a08045e9550e56712975d453a2ebaee0745fbfba99d69867eec560d1d58b58dff4f6035811b9d4f0b1b87547efa98f94d55d |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\da.pak
| MD5 | bb5252dc6f0f3c01ce3638138bf946c8 |
| SHA1 | bfb584b67c8ca51d94bff40809410553d54da1cf |
| SHA256 | c93f39d0ab9a2fab26977aa729261633225879ba6dc5ea8d0ca89814b2df9fa9 |
| SHA512 | e411fd3cc5285a6059c3fd80c3421253a4ce06b2d0cd1cd1efc25e88191a58fed176452d852922137268be2824e1e162cd4d4a6f8c695a50517a783d15b1c6e7 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\de.pak
| MD5 | ed329b35d10e81f55d611fe8748876f8 |
| SHA1 | 0d998732bb4c4d1faad5a5bc0a21d6c5672418d3 |
| SHA256 | 6facd562add58c4684ef4a40de9b63581fea71c5b83049ed8a2c2a2c929c45ce |
| SHA512 | bd713ff78e375fec3a04ab0c9476c0379f87efc6d18359c2a4d297303d78381081120c371848c8675f1f16dd4ab7284d81e5bfc9ae11ab33e12f96c12d89e764 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\el.pak
| MD5 | 6922aaa87431699787c1489e89af17b9 |
| SHA1 | 6fb7771c9271ca2eeebe025a171bfa62db3527f7 |
| SHA256 | 800545f9134914649da91b90e7df65d8208014c3e12f2be551dfd6722bf84719 |
| SHA512 | 367ef8467631e17e0a71d682f5792a499e8578b6c22af93d9a919d9e78709ec2501df9599624f013b43f4c3e9fb825182193116dbead01874995d322b7a6e4d6 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\en-GB.pak
| MD5 | 0db7f3a3ba228aa7f2457db1aa58d002 |
| SHA1 | bbf3469caadfa3d2469dd7e0809352ef21a7476d |
| SHA256 | cf5aca381c888de8aa6bbd1dcd609e389833cb5af3f4e8af5281ffd70cd65d98 |
| SHA512 | 9c46c8d12579bd8c0be230bbcdb31bdb537d2fea38000cf700547ca59e3139c18cc7cb3e74053475605132404c4c4591f651d2dad2ce7f413ccffd6acf7139e8 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\en-US.pak
| MD5 | 5e3813e616a101e4a169b05f40879a62 |
| SHA1 | 615e4d94f69625dda81dfaec7f14e9ee320a2884 |
| SHA256 | 4d207c5c202c19c4daca3fddb2ae4f747f943a8faf86a947eef580e2f2aee687 |
| SHA512 | 764a271a9cfb674cce41ee7aed0ad75f640ce869efd3c865d1b2d046c9638f4e8d9863a386eba098f5dcedd20ea98bad8bca158b68eb4bdd606d683f31227594 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\gu.pak
| MD5 | 7b5f52f72d3a93f76337d5cf3168ebd1 |
| SHA1 | 00d444b5a7f73f566e98abadf867e6bb27433091 |
| SHA256 | 798ea5d88a57d1d78fa518bf35c5098cbeb1453d2cb02ef98cd26cf85d927707 |
| SHA512 | 10c6f4faab8ccb930228c1d9302472d0752be19af068ec5917249675b40f22ab24c3e29ec3264062826113b966c401046cff70d91e7e05d8aadcc0b4e07fec9b |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\hr.pak
| MD5 | 105472bc766a30bb71f13d86081de68d |
| SHA1 | d014103ad930889239efd92ecfdfcc669312af6c |
| SHA256 | a3a853a049735c7d474191dff19550a15503ecd20bafe44938eb12ea60e50b7c |
| SHA512 | ee7479d459eff8ec59206c2269df4e9fc1ca143e9b94a908eb8a5a1e16180bcc88f0b24d73c387f5853ea0418e737641f23146676232c1a3ac794611f7880f11 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ml.pak
| MD5 | 3b1305ecca60fb5a7b3224a70398ead9 |
| SHA1 | 04e28fce93fc57360e9830e2f482028ffc58a0a2 |
| SHA256 | c10942f5333f0d710de4d3def7aa410c4576ffe476b3ea84aac736bfb9c40d67 |
| SHA512 | 68fdd944a153c16d18e73dd2aa75593f6ac13b8e87dbfb5bfccdd982a4f885bd9903c3ed1af781581cd3c5d42dd2ff21cc780f54fd71ab04a3237d08ed5a1554 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\lv.pak
| MD5 | e4f7d9e385cb525e762ece1aa243e818 |
| SHA1 | 689d784379bac189742b74cd8700c687feeeded1 |
| SHA256 | 523d141e59095da71a41c14aec8fe9ee667ae4b868e0477a46dd18a80b2007ef |
| SHA512 | e4796134048cd12056d746f6b8f76d9ea743c61fee5993167f607959f11fd3b496429c3e61ed5464551fd1931de4878ab06f23a3788ee34bb56f53db25bcb6df |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\lt.pak
| MD5 | 96602a3f3b59faa997a4d337889fa02b |
| SHA1 | 94593a270b0d84c006e0959bc136b6c4987dfd3f |
| SHA256 | 51db5311de9dff41fb4eadda8ba7d5e492912f72c3754adaf8e3de23aba46f8a |
| SHA512 | dd45240494d09ad9a41be9d4056ed274e78a50dc85e6bff9438e707a84f65b77ebe522531370da99e50a6887d6063c29e9728b49df2b2b3c61362d774797fac2 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ko.pak
| MD5 | b83bc27c5bc2bb4d0ff7934db87e12ad |
| SHA1 | 050f004e82f46053b6566300c9a7b1a6a6e84209 |
| SHA256 | ab3060e7d16de4d1536ff6dd4f82939a73388201ad7e2be15f3afee6a5aae0ef |
| SHA512 | b56b211587fe93a254198ca617cdecd8dc01e4561151a53173721665111c4d2440535f5f6b8a5a69a31840ea60124f4afd2c693d1fc4683fa2cf237c8ede5f0a |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\kn.pak
| MD5 | a603f3d899ccdcd9af20dcd8f87d0ed8 |
| SHA1 | f476355d6ea5c05b35ad74c08e2edfe5ff2881ad |
| SHA256 | 3c11a589aab0c5d9e5c18e6a95dce7e613089d3598b8fe54e656a8d97e22a6fd |
| SHA512 | f6b008080cae44d680faaab02911f62e21d042c55fc5af87e719e9bc4102b282e58e67f19f37f60fe8ba99f5b8cfd4e70a61af9918a9ee8e3d8ae72555d31c15 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ja.pak
| MD5 | f47efaa76f5200a6c0c23c33684d7bad |
| SHA1 | 9b24f6491a1171d3dfeae329e1f45ab3e3d9cf22 |
| SHA256 | 5b99d6a11d7b653681b2a2bb616cc1814451ad35c370d178b2ef6650465d4f2a |
| SHA512 | 67d130a66f03a4d1a0a30576b19fe44fa707cba764c6dcd355cbe891a2bcc0b25823ba2106e9271e06ada674f66824a5323b77d4984900516d2a8802af87960e |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\it.pak
| MD5 | 7c981a25be0e02fba150e17d9669a536 |
| SHA1 | 3af10feb7cdc7bc091b80173301b1a3d4ef941d4 |
| SHA256 | ee2d2643ad7a8f97b7a6c070910866436cae0267a6691a3d8a88ed0948d8af49 |
| SHA512 | 445eecfa83e7635bc3442937bdf3b9c4a38ef3fbb7f07ca90a1d4222e1a29639f3fdce12b20e798888823f2d612e5972492b3786d37b256aec5c1c96cdb96b28 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\id.pak
| MD5 | bd9636e9c7dc7be4c7f53fb0b886be04 |
| SHA1 | 55421d0e8efcbef8c3b72e00a623fb65d33c953e |
| SHA256 | 5761ee7da9ca163e86e2023829d377a48af6f59c27f07e820731192051343f40 |
| SHA512 | 7c7e88ffd2b748e93122585b95850ded580e1136db39386ced9f4db0090e71394a1f9ceb937262c95969132c26bf6ce1684fbb97b6469ed10414171a2e8cc3a4 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\hi.pak
| MD5 | b7e4892b2030e4f916364856b6cc470a |
| SHA1 | b08ad51e98e3b6949f61f0b9251f7281818cd23e |
| SHA256 | 093119a99f008ab15d0e5b34cd16ec6b4313554e6c3cffe44502bfce51470e3e |
| SHA512 | ca453025d73228592a4bfe747a3ea08b86327f733032a64ced0fc0c9e2e00b02450f133e691b94be13a3e69e22b43bca512e5f77b0e490320f0bf8e65571bb46 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\he.pak
| MD5 | 93d9261f91bcd80d7f33f87bad35dda4 |
| SHA1 | a498434fd2339c5d6465a28d8babb80607db1b65 |
| SHA256 | 31661709ab05e2c392a7faeed5e863b718f6a5713d0d4bbdab28bc5fb6565458 |
| SHA512 | f213ff20e45f260174caa21eae5a58e73777cd94e4d929326deefbef01759d0200b2a14f427be1bb270dfcd2c6fb2fce789e60f668ac89ecf1849d7575302725 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\fr.pak
| MD5 | 0445700799de14382201f2b8b840c639 |
| SHA1 | b2d2a03a981e6ff5b45bb29a594739b836f5518d |
| SHA256 | 9a57603f33cc1be68973bdd2022b00d9d547727d2d4dc15e91cc05ebc7730965 |
| SHA512 | 423f941ec35126a2015c5bb3bf963c8b4c71be5edfb6fc9765764409a562e028c91c952da9be8f250b25c82e8facec5cada6a4ae1495479d6b6342a0af9dda5f |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\fil.pak
| MD5 | 3165351c55e3408eaa7b661fa9dc8924 |
| SHA1 | 181bee2a96d2f43d740b865f7e39a1ba06e2ca2b |
| SHA256 | 2630a9d5912c8ef023154c6a6fb5c56faf610e1e960af66abef533af19b90caa |
| SHA512 | 3b1944ea3cfcbe98d4ce390ea3a8ff1f6730eb8054e282869308efe91a9ddcd118290568c1fc83bd80e8951c4e70a451e984c27b400f2bde8053ea25b9620655 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\fi.pak
| MD5 | 5518b51d4af7f1b9d686cbea28b69e71 |
| SHA1 | df7f70846f059826c792a831e32247b2294c8e52 |
| SHA256 | 8ff1b08727c884d6b7b6c8b0a0b176706109ae7fe06323895e35325742fe5bd1 |
| SHA512 | b573050585c5e89a65fc45000f48a0f6aabccd2937f33a0b3fcbd8a8c817beaa2158f62a83c2cae6fcfb655f4a4f9a0c2f6505b41a90bc9d8ede74141ebc3266 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\fa.pak
| MD5 | dcd3b982a52cdf8510a54830f270e391 |
| SHA1 | 3e0802460950512b98cd124ff9f1f53827e3437e |
| SHA256 | e70dfa2d5f61afe202778a3faf5ed92b8d162c62525db79d4ec82003d8773fa3 |
| SHA512 | 3d5b7fa1a685fa623ec7183c393e50007912872e22ca37fdc094badaefddeac018cc043640814a4df21bb429741dd295aa8719686461afa362e130b8e1441a12 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\et.pak
| MD5 | a94e1775f91ea8622f82ae5ab5ba6765 |
| SHA1 | ff17accdd83ac7fcc630e9141e9114da7de16fdb |
| SHA256 | 1606b94aef97047863481928624214b7e0ec2f1e34ec48a117965b928e009163 |
| SHA512 | a2575d2bd50494310e8ef9c77d6c1749420dfbe17a91d724984df025c47601976af7d971ecae988c99723d53f240e1a6b3b7650a17f3b845e3daeefaaf9fe9b9 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\es.pak
| MD5 | e9fa4cada447b507878a568f82266353 |
| SHA1 | 4a38f9d11e12376e4d13e1ee8c4e0d082d545701 |
| SHA256 | 186c596d8555f8db77b3495b7ad6b7af616185ca6c74e5dfb6c39f368e3a12a4 |
| SHA512 | 1e8f97ff3daad3d70c992f332d007f3ddb16206e2ff4cffd3f2c5099da92a7ad6fb122b48796f5758fe334d9fbf0bbae5c552414debbb60fe5854aaa922e206e |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\es-419.pak
| MD5 | 5321c1e88c5c6fa20bdbc16043c6d0f6 |
| SHA1 | 07b35ed8f22edc77e543f28d36c5e4789e7723f4 |
| SHA256 | f7caa691599c852afb6c2d7b8921e6165418cc4b20d4211a92f69c877da54592 |
| SHA512 | 121b3547a8af9e7360774c1bd6850755b849e3f2e2e10287c612cf88fb096eb4cf4ee56b428ba67aeb185f0cb08d34d4fa987c4b0797436eea53f64358d2b989 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\hu.pak
| MD5 | b338dcb0e672fb7b2910ce2f561a8e38 |
| SHA1 | cf18c82ec89f52753f7258cdb01203fbc49bed99 |
| SHA256 | bcdf39aa7004984cb6c13aac655b2e43efeb387ce7d61964b063d6cf37773f7a |
| SHA512 | f95f6a8e36d99680fb3cdb439f09439782bcc325923ec54bdc4aeb8ec85cf31a3a2216e40e2b06c73a2f5e7439d8178d8becac72781a6d79808067e8ccf3cac6 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\pt-PT.pak
| MD5 | acffa29064f40a014bc7fe13e5ff58a9 |
| SHA1 | 5a0890c94084075446264469818753f699a3d154 |
| SHA256 | 423e7ccb22d32276320ed72f07186188e095c577db5bce7309c8bd589a2a8858 |
| SHA512 | d4572c81fdd3b7b69d77544f68b23ae0b546158033be503dbaab736d3ca1188b18916688234fae9ea29fa430258b2d2b95a93d0e8b74919a62040b84902d3b6e |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sl.pak
| MD5 | 4d9d56ef0b176e7f7aa14270e964ec77 |
| SHA1 | 515aac37e4f25ca50bd52ea73889b70b1e79863d |
| SHA256 | 6ba684a8f06f7eb175955b15d30c7162d92c7e7c48864dfb853238263e1be8c7 |
| SHA512 | 740adbb7d8b039f98e187f45a1a87d0354136fb48b75262e508f720bfcbeb2746f04d31a57dccd50e37ddb5a1b7c0ad79a01cac6ba5fb98a9af272ad99fcb169 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sk.pak
| MD5 | 793c442420f27d54410cdb8d8ecce5ff |
| SHA1 | 8995e9e29dbaaa737777e9c9449b67ca4c5b4066 |
| SHA256 | 5a9d6b77ca43c8ed344416d854c2d945d8613e6c7936445d6fe35e410c7190bb |
| SHA512 | 291e3d2300c973966d85e15a1b270ba05c83696271a7c7d4063b91097a942590c9797a4d22dfbe154564b779dac92fd12db0d5b63f5f0406f818b956b126e7e9 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ru.pak
| MD5 | fc0e2fc09aa9089c5db75bab7a0754a7 |
| SHA1 | f3d1e3e1600ae188e801a81b6d233db9903b82df |
| SHA256 | 188b6405cb6c5b7c0b35050278a119c3ce41fb90883b9adb39fec15da0a05550 |
| SHA512 | 377e685d1d171d0a7158b56f356ca33d4493d07efa58d3c384e272e1b6829933552c69aff95215ae7d1a0f99616a20790708f5187ea10cfe46baa2bb522fc18f |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ro.pak
| MD5 | 19cfc7c8f1a2e4a2de1f9f64475469bc |
| SHA1 | bf6c4f373c19b03e116d2593c64e1ceca47d79dc |
| SHA256 | 3e725f7a791aed1fbed57f075ca11ce389a5bd425ccce3c00537dad27e5a8dd6 |
| SHA512 | ff5254e3a3676b8f5e74cba6661ae43d5739c7363c66cb17f74dce158dc36cee103885f055846dd320b932f2e7fbdc831bcee6293d423ff9b842b68644f633bd |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\pt-BR.pak
| MD5 | a23c805ee4d3d67c811b50826ca25a51 |
| SHA1 | c14fa8b9c7073fe88e188cfa4b34883faccc2c09 |
| SHA256 | 62be4fb0bd3b8be563516bfea3f0848924bb7afb0c563d02c1508608a4487e3b |
| SHA512 | c478bd2234eef73aa08085d29b916ad1471576ff213f972c9616757172d0cdec6e5d6797a1f2635ac17a0bac34964a298e4ab4336479456ce10330128cd68a53 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\pl.pak
| MD5 | 61c093fac4021062e1838a32d79399c2 |
| SHA1 | 84a47537ef58d2507cf7697ea7e1e27b1f812ee8 |
| SHA256 | 58067ec06973f5dd7afebbe57bffce3a3ed9f8e5093af8fcefdb6a65b2b68b22 |
| SHA512 | 475d9d4f27cbc23efd9acf75024f993bcf7a8279e658ccbd84c8ac810e1c828de4dac4141298865faf1bb8858a7a88a12d1a21c467e8c656533e364ceff7e5dc |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\nl.pak
| MD5 | bc41967b2ff493e7f151c7721245739d |
| SHA1 | 7606133ddbb58492dbbf02c03a975fb48da1e26f |
| SHA256 | 3dbe5569f53d1314dcb1bc99540cf6a0fea45b6d67576fd0d14c688107892f32 |
| SHA512 | 9e395a3b5bbf64de3e474c56c4fb39879f107a9db246632cf6bb4b06160e05a82c0161d6496edb2bc29febb4a8f67ca7ea904167b860fd6da96636a6711cb593 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\nb.pak
| MD5 | 7576c2fa9199a4121bc4a50ff6c439c3 |
| SHA1 | 55e3e2e651353e7566ed4dbe082ffc834363752b |
| SHA256 | 2a3dfc6b41fa50fabed387cb8f05debbc530fa191366b30c9cb9eaae50686bd5 |
| SHA512 | 86c44e43609e6eb61273f23d2242aa3d4a0bfa0ea653a86c8b663fa833283cc85a4356f4df653e85080f7437b81ae6201a3ecf898a63780b5ca67faa26d669fe |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ms.pak
| MD5 | 9b3e2f3c49897228d51a324ab625eb45 |
| SHA1 | 8f3daec46e9a99c3b33e3d0e56c03402ccc52b9d |
| SHA256 | 61a3daae72558662851b49175c402e9fe6fd1b279e7b9028e49506d9444855c5 |
| SHA512 | 409681829a861cd4e53069d54c80315e0c8b97e5db4cd74985d06238be434a0f0c387392e3f80916164898af247d17e8747c6538f08c0ef1c5e92a7d1b14f539 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\mr.pak
| MD5 | 25f2b9842e2c4c026e0fc4bc191a6915 |
| SHA1 | 7de7f82badb2183f1f294b63ca506322f4f2aafa |
| SHA256 | 771eb119a20fcc5e742a932a9a8c360a65c90a5fe26ab7633419966ba3e7db60 |
| SHA512 | ac6d2eeb439351eee0cf1784b941f6dd2f4c8c496455479ca76919bf7767cca48a04ba25fccde74751baa7c90b907b347396235a3ce70f15c1b8e5388e5c6107 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\tr.pak
| MD5 | 9f24f44cac0997e1d0a6a419520f3bfe |
| SHA1 | edb61859cbb5d77c666aac98379d4155188f4ff5 |
| SHA256 | 3aff7dcbfb1a244cc29b290376b52cfb3e1f844c98facafea17b4a45ce064b8a |
| SHA512 | 65fbe2d7fea37db59b805d031f6ae85d628a51b254e76e8c2b4ef4b5153527b7e2412ed6a0961d174b8a5581b521b0436160fe5ed252f78303bcfde815733d81 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ur.pak
| MD5 | d7ec7d551dee1e1ef11be3e2820052f9 |
| SHA1 | d7f2d35841883103c2773fc093a9a706b2fe5d36 |
| SHA256 | 05e45371159075048db688564b6bc707e0891303c40f490c3db428b0edd36102 |
| SHA512 | 92e2d32fc106812e08163a26f202a5d0e7eb7028a871f3bc6cbc05ee6c7ce287032179322b19e396308968515bf214534a38d93afc259a780ad7ba8432fab56a |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\app-update.yml
| MD5 | 1f3fc4ed1c35754da78d76ac2355e681 |
| SHA1 | 52a2ec4a1267e6b51fb9e376f38dd174799f57f3 |
| SHA256 | 08c1434ebe835e19645d055993023f8b8048ef6025792bd2ce685ef33f34abe3 |
| SHA512 | 155895169d921772c125922c82785b34e59ae0b35f909543bbcbb52b88f9b857d2997de335ea87cc4f582d8b928598de4addde423d21953d29d9e3e27932adbb |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\zh-TW.pak
| MD5 | 8f67a9f38ad36d7d4a6b48e63852208d |
| SHA1 | f087c85c51bdbdef5998cfc3790835da95da982a |
| SHA256 | 92f26e692dc1309558f90278425a7e83e56974b6af84dbd8cc90324785ee71ca |
| SHA512 | 623034bbdfdf5d331de78b630f403aeb9cef27b1827e0d29ec66ad69310f56c7db96c6775df0e749f8112a4a8e75754bcf987903d415fc7ae360e3c39e6e18e0 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\zh-CN.pak
| MD5 | 9d4f54eb5a12cf4c2f34f5f538dff90b |
| SHA1 | c31b892ce78c733bde0571b6236170103cc9fe7a |
| SHA256 | 58b934a09858f037f1966a495e73d44416180afcdebfaefcee1f5e3377de63f7 |
| SHA512 | 46bf6099c50f7959a6f0800ec679b61a78efabe87985cad8dc0d7d0006470a9c61e659bde0258da6cf7ed6104749a157f5ad133f324479c3460a19fc14e31c37 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\vi.pak
| MD5 | 9274866d7c6314f43dd63ed293293e25 |
| SHA1 | 4af0e6ec1bcb99588810a9fb69c1dc2bbad892fc |
| SHA256 | dcbdc6d9e11dd10fc1364c10be5438ce2697f61ec5f32997c43b87238087c4e3 |
| SHA512 | 3c8c9e9960a49469af83cae31790a03e41846163c14d3dae45fd92a1a412c82075bdef3317baca02399eb53de0f9164c0a9a17b7cd63e0fa61c3e4617393c42e |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\uk.pak
| MD5 | e4c4e3700469704b936460ca1a90fcc0 |
| SHA1 | e809990fc07a1d39fe623046382699e648e343c0 |
| SHA256 | 29af2abc75a35bb9e3f9bc6e2904228ba651ea4e0ce8e9c7a2d7e272374b9ebb |
| SHA512 | 68e33f471c5bf2d4ed9cb00ace3e094ef102a5f1566a6e2c8a3007ef7fbd8a24c36eb36b08745f3608e70940444e9fc7a36fabe1a9945d1f00b4f3f28c7bdaf6 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\th.pak
| MD5 | 293ad7c20c22d744e4db0fb001ec45bb |
| SHA1 | 486c9e0732306a45aceb633da2b3ded281197620 |
| SHA256 | d67d68f24d3347e244a7e8c3b63d47f18fcf37258256f48dad785cf98bb560fa |
| SHA512 | ac2b2dd82095925b3229958e89dcf5283bdce0273734a0c338f5a1aa8b014644806ca517f0fc2003669910e58fedf9c2ca7a009fa3f53d58c07bc5e9191f2e2f |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\te.pak
| MD5 | 02415ded02cc7ac25e8f8d0e83365061 |
| SHA1 | 5a25bf63ec97dbeb37e64ab3825cbbce6326a5cf |
| SHA256 | 97024f0cfac78e0c738e771beea1e35f5a8eb2b132b3043b59ce4ecd6c153523 |
| SHA512 | 54e658c6d432b29b031be278e5b4396ac14b0f85e1f772a0a76c0431d4cbe2370ff2898077837688e2fb9700db1eab7a19e4e350a280a2ffad8176d861d93e45 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\ta.pak
| MD5 | a8beab6896018a6d37f9b2e5bdd7a78c |
| SHA1 | 64310684247219a14ac3ac3b4c8ebaa602c5f03a |
| SHA256 | c68b708ba61b3eeab5ae81d9d85d6e9f92e416ecfae92e8de9965608732384df |
| SHA512 | 73b0a31235bf4b7c5ad673f08717f3b4f03bcdf2a91440ee7228aa78c2d15dd2aed32498e23ded78ec35bc731dbe16b6a1c236a170f2a84123a464857686c7b5 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sw.pak
| MD5 | ee8da42ffe40fbb916c56390e2cd99e8 |
| SHA1 | 6d824f56afe6b3605a881d2c26e69a46e6675347 |
| SHA256 | 192e248c7ac4644f8712cf5032da1c6063d70662216ccf084205f902253aa827 |
| SHA512 | 7befe72b073000bc35a31323d666fd51d105a188d59c4a85d76ee72b6c8c83a39a1beb935c1079def8e3ffa8c4bf6044cf4f3bef0f1c850c789b57e1144ff714 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sv.pak
| MD5 | bbe0785c5f9591e8a1e7c4830fe949d6 |
| SHA1 | da4f3286079d50e1c04e923529e03e7d334c7fff |
| SHA256 | 0ad84f6f95fd7505862278a7c1c92d00a7e7dd4a765569e9c3086f55c1d7059d |
| SHA512 | 38bab6f3a6c9395d3b57e63168045ad2e8188b2f04751a15253e7226ec3043c9678a77be1eb27a3b2e751934a024f3ffc89fffd9f1e229e19638be318b53e961 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\locales\sr.pak
| MD5 | cf160983a86b51ec42845f4e60ac9123 |
| SHA1 | 4d3bd86a7ef1eaadb8bec0b79ecc6c05b4273a48 |
| SHA256 | ef07512fb337005bb66696c69722a0d65bfb749b9d2f763f5b2ff2885cb247a4 |
| SHA512 | b909fc3614c3250856d2c502cbfed5eb6e398140b801669bf92427e7e8a5939b14052b9abf2c94749f1aea61946ff66be4978c68064196458733bcff0a963ffa |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\app.asar
| MD5 | dcf84c7c6436284959898ff76df2601a |
| SHA1 | d64896cf933ef8399c23f678e2b5529c1074e8f9 |
| SHA256 | 9ab65922798b5f5c4056de45e44a5fdccc489a6321a3cabbfbd99d8ca9daa896 |
| SHA512 | 1e1361c6ec01637d83e340ef4069f5043fec4aa750df1fcaed5c9ef88e2a90108ca345789ef3053ca7970ebed73d9ab9cd66d5fdcb409038d4618de2037d4f80 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\dist\pages\cantLoad.html
| MD5 | af0ebfabf769eacba4deb6fbc9f002ce |
| SHA1 | 8b18e6f7c70bf329bb5f9f4c2436c7d6f95faed4 |
| SHA256 | 6bc293fd068ddac9c3d92116e09417ac768336c76b748fccdc9f167e6466c1d4 |
| SHA512 | 85d744eb091ed3a9e5b14eb4d87c5233b9909c732c5902c50a2cd38a9645a65dae8723f3773758e02a1a8c591da98fc589377702863090acb527fb20ceded709 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\elevate.exe
| MD5 | 86050c2cbb9f996c1d7b5116fc67b21e |
| SHA1 | 59ec79f38d3a3bbe5b63b464bc720b426d7c300a |
| SHA256 | 288bce90fd6ffb1dd260f71f73765b9931c45015c3a963514855ae78f1becb9a |
| SHA512 | 9d4a1eb417b809299b9eeafc90323032dbea5b0ae9ddc799af6e4e36ecef61d2518dc4756bb4ac398d396926eb72e6886cb64c568dfad80e51c5320a74943b8f |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\dist\pages\icon-text-logo.svg
| MD5 | 9e058d4bc591160ec98e36aa65031b48 |
| SHA1 | 36254fd3bdb61ac27344a69594d91009122808fe |
| SHA256 | a6feedf1437cf6026a950771aee3798a310ad554ddf00508282bba9c50e48c79 |
| SHA512 | 4e0d4edc0385d9b114f0553c3b182313507ca08e3c680bdb78c7ef05e019b2d4b56a84801792d0923bf16b993918ad72b0029199adc52daa951b209a6c62a125 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\extraResources\[email protected]
| MD5 | e9b992be1a5ea38cfdbc31508d80b3b9 |
| SHA1 | e8395346ff49413abda7950807938baaaeee042d |
| SHA256 | ca3525faef577979cc300996b230ab12f58b539d1361e2831868d515068c2346 |
| SHA512 | 930501bf1c6d71a2907217bd4c8bfe0231d890f1f665d51963b3011c805a305246d6e4e0ecf6cf6efad37edde6ffed3c7dd088594ac24aab1e13fabd21a35e1a |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\7z-out\resources\extraResources\IconTemplate.png
| MD5 | 2c761c4c5b466c0d6c3fb51907f4a587 |
| SHA1 | 72bb96c24004b9cf6abde1ae870ebb2315169855 |
| SHA256 | c0abd9c5ecfb3cfcd8ef51d6efd969cacfc2c13c59815d067573977664461eec |
| SHA512 | 9722b18a6342ea91e5094b41b31eb2bbed4c2fb773f6309b9ad238dd52260773ed3e0ebfa38469ac970b51bf2665f45086fd112f1eb0390513665094b91ea560 |
C:\Users\Admin\AppData\Local\Temp\nse7725.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
\??\pipe\crashpad_620_AIIEYHPOWOGQHVUR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\Bearly\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5384187930bcff78
| MD5 | b571feedd7a6cfefa26b73514d57a7c7 |
| SHA1 | 33d4945a08a2040a4707b44d21483cd00858cb7d |
| SHA256 | bf7d1e5bafc682ba7bf07389750e4165fa3076e69625630998b4a528f5e6d635 |
| SHA512 | 8d2f594f4f568005005f2ba23bdd67ccdfd4bf56ada577993aaed596c839263f223dc2180897b906d8a8e94fd060eccda97a6cc2f464bd507182db45f4a017c7 |
C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-53841880464e3b2c
| MD5 | 0c2bb92bc63d59da117b6542b8ca9edb |
| SHA1 | 1841f159e4e2074fd921877937016a21ff4f0f90 |
| SHA256 | dc011a83b38ed30c2eb64000cd76d92dd2fa807170fbe2dbab77bc5221471ab3 |
| SHA512 | 8b4f251a74afe73a4c8fa003b5e0d65b33ac642567c73500783f1339e892fe76f3e524d5b56faf0bdff6a799c9581136fe33ac6fc1f135400440ce05abd57e9f |
C:\Users\Admin\AppData\Roaming\Bearly\config.json
| MD5 | 1ffb53e0bcfa1dfde7672728e3114815 |
| SHA1 | ec46721ab0c27d9e707f63c2ee748c954d775de2 |
| SHA256 | 8e3ed5120a02820b427cb66f4f10c93aa4ca6415f332686b39174a6e04a70c76 |
| SHA512 | 5aaabd51ac0b126c05d881e07fdaf1d82e86f5c6b5aea347ea53ea507fad953409e213ca0ae05bbf0921b478b595fbdbfada1eafd5ec39fbb9454434f0f5d424 |
memory/6676-1489-0x00007FFF833F0000-0x00007FFF833F1000-memory.dmp
memory/6676-1488-0x00007FFF84EA0000-0x00007FFF84EA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Bearly\217f7f6e-dafc-40d8-b8d6-325b7eb07a2e.tmp
| MD5 | 58127c59cb9e1da127904c341d15372b |
| SHA1 | 62445484661d8036ce9788baeaba31d204e9a5fc |
| SHA256 | be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de |
| SHA512 | 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a |
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index~RFe580cfb.TMP
| MD5 | 517adce143140d81cb6c453a49e6ec2e |
| SHA1 | 03ae1119b20a35bf9d75962fa0a7c2a71a6e020c |
| SHA256 | c36bb852a8384f44a21727fe8a64586c2fc1654ae11382cfa6ffb6e0284466de |
| SHA512 | 2745735c73751d04890babb4e66ea6e106626007275296637e449aa01471d57f095b44f27079ec721c769b2ae183f413f517dd08e5082f85e3efb067a526f9d9 |
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 00f4881ba4d4e366db901083869d2b74 |
| SHA1 | 9c78679b48be04a21882c02b96ddc168ebaccde6 |
| SHA256 | 9e030c4a887e6a7f92b7ea82f5e79cd67304b7453208550d6a96cd1e6d907c4b |
| SHA512 | e9d1b6732c5146dcc24cf037d47cdf7ad797d64f76768867a0099c2e4f7aca1fc20924e04df0607d16099a61f26a409acac5428144501c7d5586f28ca1412c4e |
C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index
| MD5 | e0957dc485b5cb554cc414f2ed7557f3 |
| SHA1 | 3b648f31dc45976020bb4f2866a6f721e9d69495 |
| SHA256 | 159e3b777772820d932ab7ab26b90a3ed7cf23fea81558dfbb15eff5abd85cbb |
| SHA512 | b513c4fa982374bb124513c97408bbf63780d09060f05bb9333deadd3e4979adbc4cbb6e13be2ec7590a26eabde5ea3c89865ebc8d8eb579a55e2cef9dd2e8bd |
C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index
| MD5 | 683ca3c3d6b6793f3f1a39952158d8db |
| SHA1 | 01f2e426b05dae0e98d956f369ce1d5e19779dee |
| SHA256 | 512f4927fb1ddfbf7bc0529177d769f532b329450603da1f3f1790a42e2e31b1 |
| SHA512 | f359d68cd7d122b969e22de9f9d995e9e625a9a5851d0d28c2d0a5345fceba66cef067c954957abc880885823d44b227ceef16c57517f7498329a9390b4617f7 |
C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State
| MD5 | 1eaa3d3a0554a7d5465dc9fd690e1995 |
| SHA1 | 1b87ee2d7d73943e0cdc2fa88013406fc112146f |
| SHA256 | 5ab0525ceb9e2d5ef87c5ee3d94d4061eb39c61318dca262344b7eabb2728d92 |
| SHA512 | e49d2d690eef90d01f92f889e3b3366b28d5b921c5e09ff68d7bc735f39895243fc99923a964932c58a8f040210d3c489859a7a9f771d937029845ee43a5a59b |
C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State~RFe58cdab.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
memory/5300-1562-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1561-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1560-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1566-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1567-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1572-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1571-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1570-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1569-0x000001DA25520000-0x000001DA25521000-memory.dmp
memory/5300-1568-0x000001DA25520000-0x000001DA25521000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
159s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2372 wrote to memory of 944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
98s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1092 wrote to memory of 3776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1092 wrote to memory of 3776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1092 wrote to memory of 3776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3776 -ip 3776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20231129-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240215-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240508-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe
"C:\Users\Admin\AppData\Local\Temp\f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Bearly.exe" | %SYSTEMROOT%\System32\find.exe "Bearly.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Bearly.exe"
C:\Windows\SysWOW64\find.exe
C:\Windows\System32\find.exe "Bearly.exe"
C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe
"C:\Users\Admin\AppData\Local\Programs\Bearly\Bearly.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd282A.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nsd282A.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
\Users\Admin\AppData\Local\Temp\nsd282A.tmp\SpiderBanner.dll
| MD5 | 17309e33b596ba3a5693b4d3e85cf8d7 |
| SHA1 | 7d361836cf53df42021c7f2b148aec9458818c01 |
| SHA256 | 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93 |
| SHA512 | 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298 |
\Users\Admin\AppData\Local\Temp\nsd282A.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
\Users\Admin\AppData\Local\Temp\nsd282A.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\chrome_100_percent.pak
| MD5 | acd0fa0a90b43cd1c87a55a991b4fac3 |
| SHA1 | 17b84e8d24da12501105b87452f86bfa5f9b1b3c |
| SHA256 | ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b |
| SHA512 | 3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\chrome_200_percent.pak
| MD5 | 4610337e3332b7e65b73a6ea738b47df |
| SHA1 | 8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b |
| SHA256 | c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c |
| SHA512 | 039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\ffmpeg.dll
| MD5 | d8cd1aca8dd3a91d0bf32da2e746545e |
| SHA1 | 6a28b357d93fbb3502bc386019899c9f3633b069 |
| SHA256 | 5b831daa8515b3d1f346b481ec04f881a3fe728944e966624489d3a3872a40bf |
| SHA512 | af70b88194539cdebf353df0927671babbd51f3cdb304cf31dc5c29d65dea1e38136d7389ba48aa0829855d62eeb740f3df12ab981153c7f2eb70ed1e74fbcbb |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\icudtl.dat
| MD5 | 2134e5dbc46fb1c46eac0fe1af710ec3 |
| SHA1 | dbecf2d193ae575aba4217194d4136bd9291d4db |
| SHA256 | ee3c8883effd90edfb0ff5b758c560cbca25d1598fcb55b80ef67e990dd19d41 |
| SHA512 | b9b50614d9baebf6378e5164d70be7fe7ef3051cfff38733fe3c7448c5de292754bbbb8da833e26115a185945be419be8dd1030fc230ed69f388479853bc0fcb |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\libEGL.dll
| MD5 | 6426112edaa62ca308f7f32d26d4f6ad |
| SHA1 | 3edfd900da6a5fb1c67c41e18ea0ec9a2752ba2e |
| SHA256 | a23882d8555d8c3f1d27ba39b0225d68bc446e250d19d36aff4ef65d221458a3 |
| SHA512 | f967dea3f18ab81c8ca72b722962944b9a874cfda4c95237e96b1e989ff3657a087957c1ff2c374616ed2e49a75f2786174ff8972a3447589468dfafaf4db582 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\libGLESv2.dll
| MD5 | b7214621f818dfe440ade5b2f3619519 |
| SHA1 | 4b95d412e49f2e4c3ce71e10b2d76df3ab63547c |
| SHA256 | 59133f095f941eb8d6b3613fd08b98e6d84e8290f3f72ded6d98c8683582f188 |
| SHA512 | d8195862a8d6ca8de5aa4096ce1feabda3f8375279904124e80451ef22d1ae13e4de35487afe36996d0b51edc16c48ddda03c5c2b14f4bd5e465ed48e9e3d29b |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\LICENSES.chromium.html
| MD5 | 312446edf757f7e92aad311f625cef2a |
| SHA1 | 91102d30d5abcfa7b6ec732e3682fb9c77279ba3 |
| SHA256 | c2656201ac86438d062673771e33e44d6d5e97670c3160e0de1cb0bd5fbbae9b |
| SHA512 | dce01f2448a49a0e6f08bbde6570f76a87dcc81179bb51d5e2642ad033ee81ae3996800363826a65485ab79085572bbace51409ae7102ed1a12df65018676333 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources.pak
| MD5 | a8502a5d32543474520dd8cf1a871b60 |
| SHA1 | 4b2b4e61a8105dd9583c12e9adfd307c113907c8 |
| SHA256 | b6420c40d7d9b4971f6c99a3fd108e10c7e4e6bb95fa655a5a1b00ff2bab36dd |
| SHA512 | c73e578d9b8a990ad11c218c096fc8d8a5d283a3fee4388ef40b4140e14504498f3e376b4b86d0d789dd9cd1dc8957d749a86f59cdf199f85daa28490c129658 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\snapshot_blob.bin
| MD5 | 840169fda65be2a18c85e7dd44ec6051 |
| SHA1 | 5080736e613be6e11242d37adef740cac0bf8cd1 |
| SHA256 | 80e58621229b4cb6104ce7f65ebce979a6ebe3eac750447d037660cec34ad0b3 |
| SHA512 | 2e65ac47ff05830eb0942288daf66468fbd34a1fbc1010f0bcdaca873f4d110ae8f88e825dec7e86dcd7b11dee7a003c29350e3377abd9f886b028cdbb830644 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 5a072b0edc88a0b18e1c56a307a341cd |
| SHA1 | 20ee0b6521e12dfc4f378eb8d5724456e22e90fd |
| SHA256 | 878046ea578d24595d060583cf8f9618aba37d23c603499068e5762dd5509aa1 |
| SHA512 | c3a51850d939eea9b5d8926795cdc3e56962ec9eeabb3b80ed62a9c77ae5d6b696528d03a469c212b99d83ec303367f3353cc0fff459e7e577254f037f8fd995 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\vk_swiftshader.dll
| MD5 | 3eb74d173ef00f7c510b11e61c5ab52f |
| SHA1 | 13cfe224f966145d7f90640b080bef5dd4d0ff42 |
| SHA256 | 0749491928a69673f17d39eb674f9a416e789e4fddec48ebb54714914343b48a |
| SHA512 | 423ab3765aa01cf39fa31d068ddb761ad93707cb06f57b4e674311c91c5cc9d238c231d1e6882f8d3525d16fea0d8f8db8d0a74bb55309f5a120cbe4a34e40bd |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\vulkan-1.dll
| MD5 | 8439213fbb22a848ce814982d502bdc4 |
| SHA1 | 6c5831de36a539c0689410b00f1b8aa1dc6f7c2d |
| SHA256 | e69f794109b12523de314a471c56278cd921be58facbd18ec351685d15894cc0 |
| SHA512 | e4e570e5b98420d99634167e0d9f920cba27fc4b8e91c70cc4e5b33a4b3299a69ce9b294aae538aeb150135378978a6c7b0644a645b797ab230e185593c828c0 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\af.pak
| MD5 | 7e51349edc7e6aed122bfa00970fab80 |
| SHA1 | eb6df68501ecce2090e1af5837b5f15ac3a775eb |
| SHA256 | f528e698b164283872f76df2233a47d7d41e1aba980ce39f6b078e577fd14c97 |
| SHA512 | 69da19053eb95eef7ab2a2d3f52ca765777bdf976e5862e8cebbaa1d1ce84a7743f50695a3e82a296b2f610475abb256844b6b9eb7a23a60b4a9fc4eae40346d |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\am.pak
| MD5 | c6ef9c40b48a069b70ed3335b52a9a9c |
| SHA1 | d4a5fb05c4b493ecbb6fc80689b955c30c5cbbb4 |
| SHA256 | 73a1034be12abda7401eb601819657cd7addf011bfd9ce39f115a442bccba995 |
| SHA512 | 33c18b698040cd77162eb05658eca82a08994455865b70d1c08819dfac68f6db6b27d7e818260caa25310ff71cf128239a52c948fde098e75d1a319f478a9854 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ar.pak
| MD5 | 56f6dc44cc50fc98314d0f88fcc2a962 |
| SHA1 | b1740b05c66622b900e19e9f71e0ff1f3488a98e |
| SHA256 | 7018884d3c60a9c9d727b21545c7dbbcc7b57fa93a16fa97deca0d35891e3465 |
| SHA512 | 594e38739af7351a6117b0659b15f4358bd363d42ffc19e9f5035b57e05e879170bbafe51aece62c13f2ae17c84efb2aed2fc19d2eb9dcb95ebd34211d61674e |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\bg.pak
| MD5 | 945de8a62865092b8100e93ea3e9828d |
| SHA1 | 18d4c83510455ce12a6ac85f9f33af46b0557e2e |
| SHA256 | f0e39893a39ce6133c1b993f1792207830b8670a6eb3185b7e5826d50fea7ba2 |
| SHA512 | 5f61160ff64b9490a1ad5517d8c1bb81af77d349541fed5045e7f6e5053b7d79b7e8f114630bfbe4d5af30258f70a6569462bfa39ccb765f8ca191f82ee04f3f |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\bn.pak
| MD5 | 8feb4092426a0c2c167c0674114b014d |
| SHA1 | 6fc9a1076723bfaf5301d8816543a05a82ad654d |
| SHA256 | fb0656a687555801edfb9442b9f3e7f2b009be1126f901cf4da82d67ac4ad954 |
| SHA512 | 3de40bdd18e9e7d3f2eceebf7c089e2250ce4d40412a18d718facba8f045e68b996978ef8b4d047b21d3424094056d16b5abb81bd0507f446b805d6b889522a7 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ca.pak
| MD5 | 01acd6f7a4ea85d8e63099ce1262fbad |
| SHA1 | f654870d442938385b99444c2cacd4d6b60d2a0d |
| SHA256 | b48d1bad676f2e718cbe548302127e0b3567913a2835522d6dd90279a6d2a56a |
| SHA512 | 2bd13eca1a85c219e24a9deb5b767faa5dc7e6b3005d4eb772e3794233ed49cb94c4492538d18acc98658c01d941e35c6f213c18ac5480da151c7545eedeb4ab |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\cs.pak
| MD5 | a934431d469d19a274243f88bb5ac6fb |
| SHA1 | 146845edc7442bf8641bc8b6c1a7e2c021fb01eb |
| SHA256 | 51c36a5acdad5930d8d4f1285315e66b2578f27534d37cd40f0625ee99852c51 |
| SHA512 | 562f07151e5392cbffb6b643c097a08045e9550e56712975d453a2ebaee0745fbfba99d69867eec560d1d58b58dff4f6035811b9d4f0b1b87547efa98f94d55d |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\da.pak
| MD5 | bb5252dc6f0f3c01ce3638138bf946c8 |
| SHA1 | bfb584b67c8ca51d94bff40809410553d54da1cf |
| SHA256 | c93f39d0ab9a2fab26977aa729261633225879ba6dc5ea8d0ca89814b2df9fa9 |
| SHA512 | e411fd3cc5285a6059c3fd80c3421253a4ce06b2d0cd1cd1efc25e88191a58fed176452d852922137268be2824e1e162cd4d4a6f8c695a50517a783d15b1c6e7 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\de.pak
| MD5 | ed329b35d10e81f55d611fe8748876f8 |
| SHA1 | 0d998732bb4c4d1faad5a5bc0a21d6c5672418d3 |
| SHA256 | 6facd562add58c4684ef4a40de9b63581fea71c5b83049ed8a2c2a2c929c45ce |
| SHA512 | bd713ff78e375fec3a04ab0c9476c0379f87efc6d18359c2a4d297303d78381081120c371848c8675f1f16dd4ab7284d81e5bfc9ae11ab33e12f96c12d89e764 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\el.pak
| MD5 | 6922aaa87431699787c1489e89af17b9 |
| SHA1 | 6fb7771c9271ca2eeebe025a171bfa62db3527f7 |
| SHA256 | 800545f9134914649da91b90e7df65d8208014c3e12f2be551dfd6722bf84719 |
| SHA512 | 367ef8467631e17e0a71d682f5792a499e8578b6c22af93d9a919d9e78709ec2501df9599624f013b43f4c3e9fb825182193116dbead01874995d322b7a6e4d6 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\en-GB.pak
| MD5 | 0db7f3a3ba228aa7f2457db1aa58d002 |
| SHA1 | bbf3469caadfa3d2469dd7e0809352ef21a7476d |
| SHA256 | cf5aca381c888de8aa6bbd1dcd609e389833cb5af3f4e8af5281ffd70cd65d98 |
| SHA512 | 9c46c8d12579bd8c0be230bbcdb31bdb537d2fea38000cf700547ca59e3139c18cc7cb3e74053475605132404c4c4591f651d2dad2ce7f413ccffd6acf7139e8 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\en-US.pak
| MD5 | 5e3813e616a101e4a169b05f40879a62 |
| SHA1 | 615e4d94f69625dda81dfaec7f14e9ee320a2884 |
| SHA256 | 4d207c5c202c19c4daca3fddb2ae4f747f943a8faf86a947eef580e2f2aee687 |
| SHA512 | 764a271a9cfb674cce41ee7aed0ad75f640ce869efd3c865d1b2d046c9638f4e8d9863a386eba098f5dcedd20ea98bad8bca158b68eb4bdd606d683f31227594 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\es-419.pak
| MD5 | 5321c1e88c5c6fa20bdbc16043c6d0f6 |
| SHA1 | 07b35ed8f22edc77e543f28d36c5e4789e7723f4 |
| SHA256 | f7caa691599c852afb6c2d7b8921e6165418cc4b20d4211a92f69c877da54592 |
| SHA512 | 121b3547a8af9e7360774c1bd6850755b849e3f2e2e10287c612cf88fb096eb4cf4ee56b428ba67aeb185f0cb08d34d4fa987c4b0797436eea53f64358d2b989 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\es.pak
| MD5 | e9fa4cada447b507878a568f82266353 |
| SHA1 | 4a38f9d11e12376e4d13e1ee8c4e0d082d545701 |
| SHA256 | 186c596d8555f8db77b3495b7ad6b7af616185ca6c74e5dfb6c39f368e3a12a4 |
| SHA512 | 1e8f97ff3daad3d70c992f332d007f3ddb16206e2ff4cffd3f2c5099da92a7ad6fb122b48796f5758fe334d9fbf0bbae5c552414debbb60fe5854aaa922e206e |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\et.pak
| MD5 | a94e1775f91ea8622f82ae5ab5ba6765 |
| SHA1 | ff17accdd83ac7fcc630e9141e9114da7de16fdb |
| SHA256 | 1606b94aef97047863481928624214b7e0ec2f1e34ec48a117965b928e009163 |
| SHA512 | a2575d2bd50494310e8ef9c77d6c1749420dfbe17a91d724984df025c47601976af7d971ecae988c99723d53f240e1a6b3b7650a17f3b845e3daeefaaf9fe9b9 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\fa.pak
| MD5 | dcd3b982a52cdf8510a54830f270e391 |
| SHA1 | 3e0802460950512b98cd124ff9f1f53827e3437e |
| SHA256 | e70dfa2d5f61afe202778a3faf5ed92b8d162c62525db79d4ec82003d8773fa3 |
| SHA512 | 3d5b7fa1a685fa623ec7183c393e50007912872e22ca37fdc094badaefddeac018cc043640814a4df21bb429741dd295aa8719686461afa362e130b8e1441a12 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\fi.pak
| MD5 | 5518b51d4af7f1b9d686cbea28b69e71 |
| SHA1 | df7f70846f059826c792a831e32247b2294c8e52 |
| SHA256 | 8ff1b08727c884d6b7b6c8b0a0b176706109ae7fe06323895e35325742fe5bd1 |
| SHA512 | b573050585c5e89a65fc45000f48a0f6aabccd2937f33a0b3fcbd8a8c817beaa2158f62a83c2cae6fcfb655f4a4f9a0c2f6505b41a90bc9d8ede74141ebc3266 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\fil.pak
| MD5 | 3165351c55e3408eaa7b661fa9dc8924 |
| SHA1 | 181bee2a96d2f43d740b865f7e39a1ba06e2ca2b |
| SHA256 | 2630a9d5912c8ef023154c6a6fb5c56faf610e1e960af66abef533af19b90caa |
| SHA512 | 3b1944ea3cfcbe98d4ce390ea3a8ff1f6730eb8054e282869308efe91a9ddcd118290568c1fc83bd80e8951c4e70a451e984c27b400f2bde8053ea25b9620655 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\fr.pak
| MD5 | 0445700799de14382201f2b8b840c639 |
| SHA1 | b2d2a03a981e6ff5b45bb29a594739b836f5518d |
| SHA256 | 9a57603f33cc1be68973bdd2022b00d9d547727d2d4dc15e91cc05ebc7730965 |
| SHA512 | 423f941ec35126a2015c5bb3bf963c8b4c71be5edfb6fc9765764409a562e028c91c952da9be8f250b25c82e8facec5cada6a4ae1495479d6b6342a0af9dda5f |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\gu.pak
| MD5 | 7b5f52f72d3a93f76337d5cf3168ebd1 |
| SHA1 | 00d444b5a7f73f566e98abadf867e6bb27433091 |
| SHA256 | 798ea5d88a57d1d78fa518bf35c5098cbeb1453d2cb02ef98cd26cf85d927707 |
| SHA512 | 10c6f4faab8ccb930228c1d9302472d0752be19af068ec5917249675b40f22ab24c3e29ec3264062826113b966c401046cff70d91e7e05d8aadcc0b4e07fec9b |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\he.pak
| MD5 | 93d9261f91bcd80d7f33f87bad35dda4 |
| SHA1 | a498434fd2339c5d6465a28d8babb80607db1b65 |
| SHA256 | 31661709ab05e2c392a7faeed5e863b718f6a5713d0d4bbdab28bc5fb6565458 |
| SHA512 | f213ff20e45f260174caa21eae5a58e73777cd94e4d929326deefbef01759d0200b2a14f427be1bb270dfcd2c6fb2fce789e60f668ac89ecf1849d7575302725 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\hi.pak
| MD5 | b7e4892b2030e4f916364856b6cc470a |
| SHA1 | b08ad51e98e3b6949f61f0b9251f7281818cd23e |
| SHA256 | 093119a99f008ab15d0e5b34cd16ec6b4313554e6c3cffe44502bfce51470e3e |
| SHA512 | ca453025d73228592a4bfe747a3ea08b86327f733032a64ced0fc0c9e2e00b02450f133e691b94be13a3e69e22b43bca512e5f77b0e490320f0bf8e65571bb46 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\hr.pak
| MD5 | 105472bc766a30bb71f13d86081de68d |
| SHA1 | d014103ad930889239efd92ecfdfcc669312af6c |
| SHA256 | a3a853a049735c7d474191dff19550a15503ecd20bafe44938eb12ea60e50b7c |
| SHA512 | ee7479d459eff8ec59206c2269df4e9fc1ca143e9b94a908eb8a5a1e16180bcc88f0b24d73c387f5853ea0418e737641f23146676232c1a3ac794611f7880f11 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\hu.pak
| MD5 | b338dcb0e672fb7b2910ce2f561a8e38 |
| SHA1 | cf18c82ec89f52753f7258cdb01203fbc49bed99 |
| SHA256 | bcdf39aa7004984cb6c13aac655b2e43efeb387ce7d61964b063d6cf37773f7a |
| SHA512 | f95f6a8e36d99680fb3cdb439f09439782bcc325923ec54bdc4aeb8ec85cf31a3a2216e40e2b06c73a2f5e7439d8178d8becac72781a6d79808067e8ccf3cac6 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\id.pak
| MD5 | bd9636e9c7dc7be4c7f53fb0b886be04 |
| SHA1 | 55421d0e8efcbef8c3b72e00a623fb65d33c953e |
| SHA256 | 5761ee7da9ca163e86e2023829d377a48af6f59c27f07e820731192051343f40 |
| SHA512 | 7c7e88ffd2b748e93122585b95850ded580e1136db39386ced9f4db0090e71394a1f9ceb937262c95969132c26bf6ce1684fbb97b6469ed10414171a2e8cc3a4 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\it.pak
| MD5 | 7c981a25be0e02fba150e17d9669a536 |
| SHA1 | 3af10feb7cdc7bc091b80173301b1a3d4ef941d4 |
| SHA256 | ee2d2643ad7a8f97b7a6c070910866436cae0267a6691a3d8a88ed0948d8af49 |
| SHA512 | 445eecfa83e7635bc3442937bdf3b9c4a38ef3fbb7f07ca90a1d4222e1a29639f3fdce12b20e798888823f2d612e5972492b3786d37b256aec5c1c96cdb96b28 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ja.pak
| MD5 | f47efaa76f5200a6c0c23c33684d7bad |
| SHA1 | 9b24f6491a1171d3dfeae329e1f45ab3e3d9cf22 |
| SHA256 | 5b99d6a11d7b653681b2a2bb616cc1814451ad35c370d178b2ef6650465d4f2a |
| SHA512 | 67d130a66f03a4d1a0a30576b19fe44fa707cba764c6dcd355cbe891a2bcc0b25823ba2106e9271e06ada674f66824a5323b77d4984900516d2a8802af87960e |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\kn.pak
| MD5 | a603f3d899ccdcd9af20dcd8f87d0ed8 |
| SHA1 | f476355d6ea5c05b35ad74c08e2edfe5ff2881ad |
| SHA256 | 3c11a589aab0c5d9e5c18e6a95dce7e613089d3598b8fe54e656a8d97e22a6fd |
| SHA512 | f6b008080cae44d680faaab02911f62e21d042c55fc5af87e719e9bc4102b282e58e67f19f37f60fe8ba99f5b8cfd4e70a61af9918a9ee8e3d8ae72555d31c15 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ko.pak
| MD5 | b83bc27c5bc2bb4d0ff7934db87e12ad |
| SHA1 | 050f004e82f46053b6566300c9a7b1a6a6e84209 |
| SHA256 | ab3060e7d16de4d1536ff6dd4f82939a73388201ad7e2be15f3afee6a5aae0ef |
| SHA512 | b56b211587fe93a254198ca617cdecd8dc01e4561151a53173721665111c4d2440535f5f6b8a5a69a31840ea60124f4afd2c693d1fc4683fa2cf237c8ede5f0a |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\lt.pak
| MD5 | 96602a3f3b59faa997a4d337889fa02b |
| SHA1 | 94593a270b0d84c006e0959bc136b6c4987dfd3f |
| SHA256 | 51db5311de9dff41fb4eadda8ba7d5e492912f72c3754adaf8e3de23aba46f8a |
| SHA512 | dd45240494d09ad9a41be9d4056ed274e78a50dc85e6bff9438e707a84f65b77ebe522531370da99e50a6887d6063c29e9728b49df2b2b3c61362d774797fac2 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\lv.pak
| MD5 | e4f7d9e385cb525e762ece1aa243e818 |
| SHA1 | 689d784379bac189742b74cd8700c687feeeded1 |
| SHA256 | 523d141e59095da71a41c14aec8fe9ee667ae4b868e0477a46dd18a80b2007ef |
| SHA512 | e4796134048cd12056d746f6b8f76d9ea743c61fee5993167f607959f11fd3b496429c3e61ed5464551fd1931de4878ab06f23a3788ee34bb56f53db25bcb6df |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\mr.pak
| MD5 | 25f2b9842e2c4c026e0fc4bc191a6915 |
| SHA1 | 7de7f82badb2183f1f294b63ca506322f4f2aafa |
| SHA256 | 771eb119a20fcc5e742a932a9a8c360a65c90a5fe26ab7633419966ba3e7db60 |
| SHA512 | ac6d2eeb439351eee0cf1784b941f6dd2f4c8c496455479ca76919bf7767cca48a04ba25fccde74751baa7c90b907b347396235a3ce70f15c1b8e5388e5c6107 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ml.pak
| MD5 | 3b1305ecca60fb5a7b3224a70398ead9 |
| SHA1 | 04e28fce93fc57360e9830e2f482028ffc58a0a2 |
| SHA256 | c10942f5333f0d710de4d3def7aa410c4576ffe476b3ea84aac736bfb9c40d67 |
| SHA512 | 68fdd944a153c16d18e73dd2aa75593f6ac13b8e87dbfb5bfccdd982a4f885bd9903c3ed1af781581cd3c5d42dd2ff21cc780f54fd71ab04a3237d08ed5a1554 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ms.pak
| MD5 | 9b3e2f3c49897228d51a324ab625eb45 |
| SHA1 | 8f3daec46e9a99c3b33e3d0e56c03402ccc52b9d |
| SHA256 | 61a3daae72558662851b49175c402e9fe6fd1b279e7b9028e49506d9444855c5 |
| SHA512 | 409681829a861cd4e53069d54c80315e0c8b97e5db4cd74985d06238be434a0f0c387392e3f80916164898af247d17e8747c6538f08c0ef1c5e92a7d1b14f539 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\nb.pak
| MD5 | 7576c2fa9199a4121bc4a50ff6c439c3 |
| SHA1 | 55e3e2e651353e7566ed4dbe082ffc834363752b |
| SHA256 | 2a3dfc6b41fa50fabed387cb8f05debbc530fa191366b30c9cb9eaae50686bd5 |
| SHA512 | 86c44e43609e6eb61273f23d2242aa3d4a0bfa0ea653a86c8b663fa833283cc85a4356f4df653e85080f7437b81ae6201a3ecf898a63780b5ca67faa26d669fe |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\nl.pak
| MD5 | bc41967b2ff493e7f151c7721245739d |
| SHA1 | 7606133ddbb58492dbbf02c03a975fb48da1e26f |
| SHA256 | 3dbe5569f53d1314dcb1bc99540cf6a0fea45b6d67576fd0d14c688107892f32 |
| SHA512 | 9e395a3b5bbf64de3e474c56c4fb39879f107a9db246632cf6bb4b06160e05a82c0161d6496edb2bc29febb4a8f67ca7ea904167b860fd6da96636a6711cb593 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\pl.pak
| MD5 | 61c093fac4021062e1838a32d79399c2 |
| SHA1 | 84a47537ef58d2507cf7697ea7e1e27b1f812ee8 |
| SHA256 | 58067ec06973f5dd7afebbe57bffce3a3ed9f8e5093af8fcefdb6a65b2b68b22 |
| SHA512 | 475d9d4f27cbc23efd9acf75024f993bcf7a8279e658ccbd84c8ac810e1c828de4dac4141298865faf1bb8858a7a88a12d1a21c467e8c656533e364ceff7e5dc |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\pt-BR.pak
| MD5 | a23c805ee4d3d67c811b50826ca25a51 |
| SHA1 | c14fa8b9c7073fe88e188cfa4b34883faccc2c09 |
| SHA256 | 62be4fb0bd3b8be563516bfea3f0848924bb7afb0c563d02c1508608a4487e3b |
| SHA512 | c478bd2234eef73aa08085d29b916ad1471576ff213f972c9616757172d0cdec6e5d6797a1f2635ac17a0bac34964a298e4ab4336479456ce10330128cd68a53 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\pt-PT.pak
| MD5 | acffa29064f40a014bc7fe13e5ff58a9 |
| SHA1 | 5a0890c94084075446264469818753f699a3d154 |
| SHA256 | 423e7ccb22d32276320ed72f07186188e095c577db5bce7309c8bd589a2a8858 |
| SHA512 | d4572c81fdd3b7b69d77544f68b23ae0b546158033be503dbaab736d3ca1188b18916688234fae9ea29fa430258b2d2b95a93d0e8b74919a62040b84902d3b6e |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ro.pak
| MD5 | 19cfc7c8f1a2e4a2de1f9f64475469bc |
| SHA1 | bf6c4f373c19b03e116d2593c64e1ceca47d79dc |
| SHA256 | 3e725f7a791aed1fbed57f075ca11ce389a5bd425ccce3c00537dad27e5a8dd6 |
| SHA512 | ff5254e3a3676b8f5e74cba6661ae43d5739c7363c66cb17f74dce158dc36cee103885f055846dd320b932f2e7fbdc831bcee6293d423ff9b842b68644f633bd |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ru.pak
| MD5 | fc0e2fc09aa9089c5db75bab7a0754a7 |
| SHA1 | f3d1e3e1600ae188e801a81b6d233db9903b82df |
| SHA256 | 188b6405cb6c5b7c0b35050278a119c3ce41fb90883b9adb39fec15da0a05550 |
| SHA512 | 377e685d1d171d0a7158b56f356ca33d4493d07efa58d3c384e272e1b6829933552c69aff95215ae7d1a0f99616a20790708f5187ea10cfe46baa2bb522fc18f |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sk.pak
| MD5 | 793c442420f27d54410cdb8d8ecce5ff |
| SHA1 | 8995e9e29dbaaa737777e9c9449b67ca4c5b4066 |
| SHA256 | 5a9d6b77ca43c8ed344416d854c2d945d8613e6c7936445d6fe35e410c7190bb |
| SHA512 | 291e3d2300c973966d85e15a1b270ba05c83696271a7c7d4063b91097a942590c9797a4d22dfbe154564b779dac92fd12db0d5b63f5f0406f818b956b126e7e9 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sl.pak
| MD5 | 4d9d56ef0b176e7f7aa14270e964ec77 |
| SHA1 | 515aac37e4f25ca50bd52ea73889b70b1e79863d |
| SHA256 | 6ba684a8f06f7eb175955b15d30c7162d92c7e7c48864dfb853238263e1be8c7 |
| SHA512 | 740adbb7d8b039f98e187f45a1a87d0354136fb48b75262e508f720bfcbeb2746f04d31a57dccd50e37ddb5a1b7c0ad79a01cac6ba5fb98a9af272ad99fcb169 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sv.pak
| MD5 | bbe0785c5f9591e8a1e7c4830fe949d6 |
| SHA1 | da4f3286079d50e1c04e923529e03e7d334c7fff |
| SHA256 | 0ad84f6f95fd7505862278a7c1c92d00a7e7dd4a765569e9c3086f55c1d7059d |
| SHA512 | 38bab6f3a6c9395d3b57e63168045ad2e8188b2f04751a15253e7226ec3043c9678a77be1eb27a3b2e751934a024f3ffc89fffd9f1e229e19638be318b53e961 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sw.pak
| MD5 | ee8da42ffe40fbb916c56390e2cd99e8 |
| SHA1 | 6d824f56afe6b3605a881d2c26e69a46e6675347 |
| SHA256 | 192e248c7ac4644f8712cf5032da1c6063d70662216ccf084205f902253aa827 |
| SHA512 | 7befe72b073000bc35a31323d666fd51d105a188d59c4a85d76ee72b6c8c83a39a1beb935c1079def8e3ffa8c4bf6044cf4f3bef0f1c850c789b57e1144ff714 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ta.pak
| MD5 | a8beab6896018a6d37f9b2e5bdd7a78c |
| SHA1 | 64310684247219a14ac3ac3b4c8ebaa602c5f03a |
| SHA256 | c68b708ba61b3eeab5ae81d9d85d6e9f92e416ecfae92e8de9965608732384df |
| SHA512 | 73b0a31235bf4b7c5ad673f08717f3b4f03bcdf2a91440ee7228aa78c2d15dd2aed32498e23ded78ec35bc731dbe16b6a1c236a170f2a84123a464857686c7b5 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\te.pak
| MD5 | 02415ded02cc7ac25e8f8d0e83365061 |
| SHA1 | 5a25bf63ec97dbeb37e64ab3825cbbce6326a5cf |
| SHA256 | 97024f0cfac78e0c738e771beea1e35f5a8eb2b132b3043b59ce4ecd6c153523 |
| SHA512 | 54e658c6d432b29b031be278e5b4396ac14b0f85e1f772a0a76c0431d4cbe2370ff2898077837688e2fb9700db1eab7a19e4e350a280a2ffad8176d861d93e45 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\th.pak
| MD5 | 293ad7c20c22d744e4db0fb001ec45bb |
| SHA1 | 486c9e0732306a45aceb633da2b3ded281197620 |
| SHA256 | d67d68f24d3347e244a7e8c3b63d47f18fcf37258256f48dad785cf98bb560fa |
| SHA512 | ac2b2dd82095925b3229958e89dcf5283bdce0273734a0c338f5a1aa8b014644806ca517f0fc2003669910e58fedf9c2ca7a009fa3f53d58c07bc5e9191f2e2f |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\ur.pak
| MD5 | d7ec7d551dee1e1ef11be3e2820052f9 |
| SHA1 | d7f2d35841883103c2773fc093a9a706b2fe5d36 |
| SHA256 | 05e45371159075048db688564b6bc707e0891303c40f490c3db428b0edd36102 |
| SHA512 | 92e2d32fc106812e08163a26f202a5d0e7eb7028a871f3bc6cbc05ee6c7ce287032179322b19e396308968515bf214534a38d93afc259a780ad7ba8432fab56a |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\zh-TW.pak
| MD5 | 8f67a9f38ad36d7d4a6b48e63852208d |
| SHA1 | f087c85c51bdbdef5998cfc3790835da95da982a |
| SHA256 | 92f26e692dc1309558f90278425a7e83e56974b6af84dbd8cc90324785ee71ca |
| SHA512 | 623034bbdfdf5d331de78b630f403aeb9cef27b1827e0d29ec66ad69310f56c7db96c6775df0e749f8112a4a8e75754bcf987903d415fc7ae360e3c39e6e18e0 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\app-update.yml
| MD5 | 1f3fc4ed1c35754da78d76ac2355e681 |
| SHA1 | 52a2ec4a1267e6b51fb9e376f38dd174799f57f3 |
| SHA256 | 08c1434ebe835e19645d055993023f8b8048ef6025792bd2ce685ef33f34abe3 |
| SHA512 | 155895169d921772c125922c82785b34e59ae0b35f909543bbcbb52b88f9b857d2997de335ea87cc4f582d8b928598de4addde423d21953d29d9e3e27932adbb |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\app.asar
| MD5 | dcf84c7c6436284959898ff76df2601a |
| SHA1 | d64896cf933ef8399c23f678e2b5529c1074e8f9 |
| SHA256 | 9ab65922798b5f5c4056de45e44a5fdccc489a6321a3cabbfbd99d8ca9daa896 |
| SHA512 | 1e1361c6ec01637d83e340ef4069f5043fec4aa750df1fcaed5c9ef88e2a90108ca345789ef3053ca7970ebed73d9ab9cd66d5fdcb409038d4618de2037d4f80 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\dist\pages\cantLoad.html
| MD5 | af0ebfabf769eacba4deb6fbc9f002ce |
| SHA1 | 8b18e6f7c70bf329bb5f9f4c2436c7d6f95faed4 |
| SHA256 | 6bc293fd068ddac9c3d92116e09417ac768336c76b748fccdc9f167e6466c1d4 |
| SHA512 | 85d744eb091ed3a9e5b14eb4d87c5233b9909c732c5902c50a2cd38a9645a65dae8723f3773758e02a1a8c591da98fc589377702863090acb527fb20ceded709 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\extraResources\[email protected]
| MD5 | e9b992be1a5ea38cfdbc31508d80b3b9 |
| SHA1 | e8395346ff49413abda7950807938baaaeee042d |
| SHA256 | ca3525faef577979cc300996b230ab12f58b539d1361e2831868d515068c2346 |
| SHA512 | 930501bf1c6d71a2907217bd4c8bfe0231d890f1f665d51963b3011c805a305246d6e4e0ecf6cf6efad37edde6ffed3c7dd088594ac24aab1e13fabd21a35e1a |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\extraResources\IconTemplate.png
| MD5 | 2c761c4c5b466c0d6c3fb51907f4a587 |
| SHA1 | 72bb96c24004b9cf6abde1ae870ebb2315169855 |
| SHA256 | c0abd9c5ecfb3cfcd8ef51d6efd969cacfc2c13c59815d067573977664461eec |
| SHA512 | 9722b18a6342ea91e5094b41b31eb2bbed4c2fb773f6309b9ad238dd52260773ed3e0ebfa38469ac970b51bf2665f45086fd112f1eb0390513665094b91ea560 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\dist\pages\icon-text-logo.svg
| MD5 | 9e058d4bc591160ec98e36aa65031b48 |
| SHA1 | 36254fd3bdb61ac27344a69594d91009122808fe |
| SHA256 | a6feedf1437cf6026a950771aee3798a310ad554ddf00508282bba9c50e48c79 |
| SHA512 | 4e0d4edc0385d9b114f0553c3b182313507ca08e3c680bdb78c7ef05e019b2d4b56a84801792d0923bf16b993918ad72b0029199adc52daa951b209a6c62a125 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\resources\elevate.exe
| MD5 | 86050c2cbb9f996c1d7b5116fc67b21e |
| SHA1 | 59ec79f38d3a3bbe5b63b464bc720b426d7c300a |
| SHA256 | 288bce90fd6ffb1dd260f71f73765b9931c45015c3a963514855ae78f1becb9a |
| SHA512 | 9d4a1eb417b809299b9eeafc90323032dbea5b0ae9ddc799af6e4e36ecef61d2518dc4756bb4ac398d396926eb72e6886cb64c568dfad80e51c5320a74943b8f |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\zh-CN.pak
| MD5 | 9d4f54eb5a12cf4c2f34f5f538dff90b |
| SHA1 | c31b892ce78c733bde0571b6236170103cc9fe7a |
| SHA256 | 58b934a09858f037f1966a495e73d44416180afcdebfaefcee1f5e3377de63f7 |
| SHA512 | 46bf6099c50f7959a6f0800ec679b61a78efabe87985cad8dc0d7d0006470a9c61e659bde0258da6cf7ed6104749a157f5ad133f324479c3460a19fc14e31c37 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\vi.pak
| MD5 | 9274866d7c6314f43dd63ed293293e25 |
| SHA1 | 4af0e6ec1bcb99588810a9fb69c1dc2bbad892fc |
| SHA256 | dcbdc6d9e11dd10fc1364c10be5438ce2697f61ec5f32997c43b87238087c4e3 |
| SHA512 | 3c8c9e9960a49469af83cae31790a03e41846163c14d3dae45fd92a1a412c82075bdef3317baca02399eb53de0f9164c0a9a17b7cd63e0fa61c3e4617393c42e |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\uk.pak
| MD5 | e4c4e3700469704b936460ca1a90fcc0 |
| SHA1 | e809990fc07a1d39fe623046382699e648e343c0 |
| SHA256 | 29af2abc75a35bb9e3f9bc6e2904228ba651ea4e0ce8e9c7a2d7e272374b9ebb |
| SHA512 | 68e33f471c5bf2d4ed9cb00ace3e094ef102a5f1566a6e2c8a3007ef7fbd8a24c36eb36b08745f3608e70940444e9fc7a36fabe1a9945d1f00b4f3f28c7bdaf6 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\tr.pak
| MD5 | 9f24f44cac0997e1d0a6a419520f3bfe |
| SHA1 | edb61859cbb5d77c666aac98379d4155188f4ff5 |
| SHA256 | 3aff7dcbfb1a244cc29b290376b52cfb3e1f844c98facafea17b4a45ce064b8a |
| SHA512 | 65fbe2d7fea37db59b805d031f6ae85d628a51b254e76e8c2b4ef4b5153527b7e2412ed6a0961d174b8a5581b521b0436160fe5ed252f78303bcfde815733d81 |
C:\Users\Admin\AppData\Local\Temp\nsd282A.tmp\7z-out\locales\sr.pak
| MD5 | cf160983a86b51ec42845f4e60ac9123 |
| SHA1 | 4d3bd86a7ef1eaadb8bec0b79ecc6c05b4273a48 |
| SHA256 | ef07512fb337005bb66696c69722a0d65bfb749b9d2f763f5b2ff2885cb247a4 |
| SHA512 | b909fc3614c3250856d2c502cbfed5eb6e398140b801669bf92427e7e8a5939b14052b9abf2c94749f1aea61946ff66be4978c68064196458733bcff0a963ffa |
\Users\Admin\AppData\Local\Temp\nsd282A.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
memory/2968-602-0x0000000002BD0000-0x0000000002BD2000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240220-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 220
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240508-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win7-20240221-en
Max time kernel
123s
Max time network
140s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3032 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3032 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3032 -s 92
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win7-20240508-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1
Network
Files
memory/2548-4-0x000007FEF56BE000-0x000007FEF56BF000-memory.dmp
memory/2548-5-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/2548-6-0x0000000002290000-0x0000000002298000-memory.dmp
memory/2548-7-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
memory/2548-8-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
memory/2548-9-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
memory/2548-10-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\resources\dist\pages\cantLoad.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f50846f8,0x7ff9f5084708,0x7ff9f5084718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14256341652610180205,18133452609569422491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bearly.ai | udp |
| US | 104.26.11.184:443 | bearly.ai | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 184.11.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 87f7abeb82600e1e640b843ad50fe0a1 |
| SHA1 | 045bbada3f23fc59941bf7d0210fb160cb78ae87 |
| SHA256 | b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262 |
| SHA512 | ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618 |
\??\pipe\LOCAL\crashpad_808_RBNLDFQWJNCYEMIA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f61fa5143fe872d1d8f1e9f8dc6544f9 |
| SHA1 | df44bab94d7388fb38c63085ec4db80cfc5eb009 |
| SHA256 | 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64 |
| SHA512 | 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f914f40103b77cf0af8c70f024f3d4c5 |
| SHA1 | 19c6291e36aae7ac9c9dae6f0c65727f01d8aa9e |
| SHA256 | c16ef57dd89a088a5127ebcec543049fc827906bfa84e56619077ace14e85d0f |
| SHA512 | eada041390ef5cfafdfb3ab2300ca55fe545b8fd7538f70f6d4cf7df4cd70a597ee2ee1eaa96938aab6af4341c6e6d8f5db74deb14c920ded00d782d0d08f302 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6e6730220accea5b24bc1f74f06e80a6 |
| SHA1 | 7423d925ebc684df76e292afa0cf48490cd19340 |
| SHA256 | 01167852305922a4bbe377968cf64842b62d26584bac9b39e544b4b89c3b1893 |
| SHA512 | 57b3d874b3ce6ea681b599230f2bea798a3b00934626f628b53a5c3397b5b359f7f090005f4caa9038d8a3fd24eed4aba97e234657e76ece4ee626c1ce6c8367 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9f4d2c75896545ce1dc5b1b568af997d |
| SHA1 | 6b085585bd6e1fe984b0d2a35bbc61534af1250c |
| SHA256 | 85586db8d8a0d38b837b0f9eef99e7be33adde62a5e2a5217c6edc61b2eb2f52 |
| SHA512 | e9118e10a39c909af9e014b7a0ad21ba609082c789b4af4195549f4d6414afd60af7a285890222841e9a4c02cddee7dcffe86c070d4007958cd321f84cee02e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 70326e337a61ddee1dcd73352b918cc1 |
| SHA1 | d7f16a9c41e95ff90ba890fc43515d6878efe3c7 |
| SHA256 | e76a3b0cc02942884d8381ffd4a28d52e623cf7460c0bdf327d134ed82b4f0ad |
| SHA512 | 0f5befb7ed3e6a64f6cf13df802125cb0cc7f25de5b7a165538965e71b2fd0c303fe6f17719319f137a5bf57ce77da72a3999c4b0d414130a9fa31f57cf9cb20 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
162s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4860 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240508-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 220
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240508-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\af.ps1
Network
Files
memory/2816-4-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp
memory/2816-7-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2816-6-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2816-5-0x000000001B430000-0x000000001B712000-memory.dmp
memory/2816-8-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2816-9-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2816-10-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2816-11-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2816-12-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe"
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\ = "URL:bearly" | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\shell | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\shell\open | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Bearly.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\bearly\URL Protocol | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bearly.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe"
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
C:\Users\Admin\AppData\Local\Temp\Bearly.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Bearly /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Bearly\Crashpad --url=https://f.a.k/e --annotation=_productName=Bearly --annotation=_version=3.0.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=24.4.0 --initial-client-data=0x470,0x474,0x478,0x46c,0x47c,0x7ff69145dc70,0x7ff69145dc80,0x7ff69145dc90
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1996 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2344 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bearly
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3600 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3768 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 --field-trial-handle=1748,i,5193812319012649365,17365156507467696509,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bearly.ai | udp |
| US | 8.8.8.8:53 | bearly.ai | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 104.26.10.184:443 | bearly.ai | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 173.194.69.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.10.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 84.69.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o4504114762612736.ingest.sentry.io | udp |
| US | 8.8.8.8:53 | o4504114762612736.ingest.sentry.io | udp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 34.120.195.249:443 | o4504114762612736.ingest.sentry.io | tcp |
| AT | 13.32.110.113:443 | js.stripe.com | tcp |
| US | 34.120.195.249:443 | o4504114762612736.ingest.sentry.io | udp |
| US | 34.120.195.249:443 | o4504114762612736.ingest.sentry.io | tcp |
| US | 8.8.8.8:53 | exec.bearly.ai | udp |
| US | 8.8.8.8:53 | exec.bearly.ai | udp |
| US | 104.26.11.184:443 | exec.bearly.ai | tcp |
| US | 8.8.8.8:53 | 249.195.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.110.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api2.amplitude.com | udp |
| US | 8.8.8.8:53 | api2.amplitude.com | udp |
| US | 54.68.45.63:443 | api2.amplitude.com | tcp |
| AT | 13.32.110.113:443 | js.stripe.com | tcp |
| US | 8.8.8.8:53 | m.stripe.network | udp |
| US | 8.8.8.8:53 | m.stripe.network | udp |
| US | 151.101.0.176:443 | m.stripe.network | tcp |
| US | 8.8.8.8:53 | 184.11.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.45.68.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.0.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | m.stripe.com | udp |
| US | 8.8.8.8:53 | m.stripe.com | udp |
| US | 54.213.45.60:443 | m.stripe.com | tcp |
| US | 8.8.8.8:53 | r.stripe.com | udp |
| US | 8.8.8.8:53 | r.stripe.com | udp |
| US | 54.187.159.182:443 | r.stripe.com | tcp |
| US | 8.8.8.8:53 | 60.45.213.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 182.159.187.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
\??\pipe\crashpad_692_YMEFZCFDGPTIUNBX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\Bearly\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5384186143ae4667
| MD5 | b571feedd7a6cfefa26b73514d57a7c7 |
| SHA1 | 33d4945a08a2040a4707b44d21483cd00858cb7d |
| SHA256 | bf7d1e5bafc682ba7bf07389750e4165fa3076e69625630998b4a528f5e6d635 |
| SHA512 | 8d2f594f4f568005005f2ba23bdd67ccdfd4bf56ada577993aaed596c839263f223dc2180897b906d8a8e94fd060eccda97a6cc2f464bd507182db45f4a017c7 |
C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5384186271b57736
| MD5 | 0c2bb92bc63d59da117b6542b8ca9edb |
| SHA1 | 1841f159e4e2074fd921877937016a21ff4f0f90 |
| SHA256 | dc011a83b38ed30c2eb64000cd76d92dd2fa807170fbe2dbab77bc5221471ab3 |
| SHA512 | 8b4f251a74afe73a4c8fa003b5e0d65b33ac642567c73500783f1339e892fe76f3e524d5b56faf0bdff6a799c9581136fe33ac6fc1f135400440ce05abd57e9f |
C:\Users\Admin\AppData\Roaming\Bearly\config.json
| MD5 | 1ffb53e0bcfa1dfde7672728e3114815 |
| SHA1 | ec46721ab0c27d9e707f63c2ee748c954d775de2 |
| SHA256 | 8e3ed5120a02820b427cb66f4f10c93aa4ca6415f332686b39174a6e04a70c76 |
| SHA512 | 5aaabd51ac0b126c05d881e07fdaf1d82e86f5c6b5aea347ea53ea507fad953409e213ca0ae05bbf0921b478b595fbdbfada1eafd5ec39fbb9454434f0f5d424 |
memory/8484-1143-0x00007FFD9AF50000-0x00007FFD9AF51000-memory.dmp
memory/8484-1142-0x00007FFD9A0B0000-0x00007FFD9A0B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Bearly\Preferences~RFe57ad38.TMP
| MD5 | d11dedf80b85d8d9be3fec6bb292f64b |
| SHA1 | aab8783454819cd66ddf7871e887abdba138aef3 |
| SHA256 | 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67 |
| SHA512 | 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0 |
C:\Users\Admin\AppData\Roaming\Bearly\Preferences
| MD5 | 58127c59cb9e1da127904c341d15372b |
| SHA1 | 62445484661d8036ce9788baeaba31d204e9a5fc |
| SHA256 | be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de |
| SHA512 | 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a |
memory/8484-1179-0x000001E995C50000-0x000001E99638F000-memory.dmp
memory/8664-1180-0x0000020083370000-0x0000020083AAF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d92a.TMP
| MD5 | f37d6ea802d93973529465588c508a07 |
| SHA1 | 9dbf321582446b065d5fa8d323fe2ca10ae004ae |
| SHA256 | 1b975f267e01c478c01f1d2f834c73e9db74625af53a7136df95ebcaca675df9 |
| SHA512 | ba8886f1748349c394e1c2955bd118aa0f85a66a145a78e10d825627598f2b2d66b8c45b8f30198fa61f37980b904d0a2af3cc18bc42ee8ffe8f190b2f11bbd2 |
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | e1ceb65fbc852fa3dfeb4f9864367dd1 |
| SHA1 | 01abce0bd9f84758ae986c19258503023b79bf47 |
| SHA256 | d81d1cb04d50aa4cb7b27251c28ef901dc3bc4e6f4d87a14ff8333a54a618c29 |
| SHA512 | 93558fd5d1099be3fe8d0ea9f511ce60ec2aa6eaa36904c8ff40a8c2c686c079255c9dcaedc9a2aad044ce822154eb5635ae0a321fed410bc1470f8f2b214941 |
C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index
| MD5 | ce6897c93cd95c4f1111b09a38e1bf21 |
| SHA1 | 8c841f0cf03159b3669eb14b4c718ca8bd134829 |
| SHA256 | d191f686ca767e379e3586dc685b574a8620f49c0704bc25bb3e808a5aae9ff0 |
| SHA512 | 83c74930c8f950c991db356a35dfcfd1a13695ff839a9c8d79e114e014354e903dc888f81f3f4306792d1f44496071c035eeb3250df3ed7e74b7cfe091d8efb9 |
C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index
| MD5 | fbd5b9b6af3a0b0d113e3879b0360e95 |
| SHA1 | c859ce1236b83b6c35b61fd3b37f4ccc265de11d |
| SHA256 | 145b298b79960da361e959483ec621082043aacb7a570dee9d195970634fa5bd |
| SHA512 | df46fb9fc022aaa94ba5cc059f2a460655cf607b693e1c32609c57f09fd0f32bf3415f3c7e80de97580d586f4bc2a992366e079c9b58b771ab7672220b0463fb |
C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State~RFe589892.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State
| MD5 | ae9cf944d6acb598b79e83bf414d5cde |
| SHA1 | 243078ac641df7fbd144d16dfb9e868d0a991ec1 |
| SHA256 | 43a936e84ff4432cece64e9ce209519a5b6d1c40589180c6ecde2e5ea0dcbb4c |
| SHA512 | a1ed0bffccba660db234455cc88a8ce0532f94cb5cd2ba52e00d77a261faa078a08a24a54ec9fd3b11dd35437af4907d3aff119432d5523d58f45ee787006845 |
memory/5696-1229-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1231-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1230-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1236-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1235-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1241-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1240-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1239-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1238-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
memory/5696-1237-0x000001D38CD50000-0x000001D38CD51000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
161s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa5fa46f8,0x7ffaa5fa4708,0x7ffaa5fa4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,4144259079336062141,16915924828027975499,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f53207a5ca2ef5c7e976cbb3cb26d870 |
| SHA1 | 49a8cc44f53da77bb3dfb36fc7676ed54675db43 |
| SHA256 | 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23 |
| SHA512 | be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499 |
\??\pipe\LOCAL\crashpad_5080_YUCHKRMAJXDVSLPL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ae54e9db2e89f2c54da8cc0bfcbd26bd |
| SHA1 | a88af6c673609ecbc51a1a60dfbc8577830d2b5d |
| SHA256 | 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af |
| SHA512 | e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7add51771e26edbd949b10260b7fd185 |
| SHA1 | fb77db6ed126a18df76fa1e9d2d59a40053120ab |
| SHA256 | 26ce6516901190dfab81609b045e46cad5670c0b420cd51d599833fb3e1f6108 |
| SHA512 | 82882750244e565dbd5521add5d84470d388944df833b74442339897a92bf7fd5eaf38602ca8109bb1e7778fb26002b301934273bd45f72de71e867769ccd65c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cf282f2a3ee3525a50d1313218a16d9c |
| SHA1 | b4f8de6b2148b6e530dd736f8fcbebe18f9ee165 |
| SHA256 | 42da710967d0b8a5243b8a33ec9bf3f6ec0d2c7e2cf295831965bfc6790369c2 |
| SHA512 | b9ca6b0a1c50e5e113eb9c956a455072ad848f4e1b7e624d75487dce62234e4d9ca304c9e1996b38c3e517401729828834e347b1789459b8e5240e6d83429c18 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | baae728a08471c18aab47aaee50f6eea |
| SHA1 | ba31db4f65a9f59a3853c7035b0f65b67dbf4471 |
| SHA256 | d83fb70b1584d964fd41c483a53f948cdd5aaf06ea1652802f3a1b296c78d33d |
| SHA512 | 5ba2e85de0045f2ed878fe4c48c1e563451c507a3fa7d20d2ca25b299d94e736187fd0359e142aad9d194b7a6c8b133215e618dbc72db7642cec49483bd7bff8 |
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win10v2004-20240508-en
Max time kernel
119s
Max time network
159s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c 0x4f0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
memory/3960-0-0x00007FFBF7583000-0x00007FFBF7585000-memory.dmp
memory/3960-1-0x0000023A3B4B0000-0x0000023A3B4D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bb0mp5uq.de1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3960-11-0x00007FFBF7580000-0x00007FFBF8041000-memory.dmp
memory/3960-12-0x00007FFBF7580000-0x00007FFBF8041000-memory.dmp
memory/3960-13-0x00007FFBF7580000-0x00007FFBF8041000-memory.dmp
memory/3960-16-0x00007FFBF7580000-0x00007FFBF8041000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:39
Platform
win7-20231129-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1988 wrote to memory of 1932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1988 wrote to memory of 1932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1988 wrote to memory of 1932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1988 -s 88
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240419-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
98s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4224 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4224 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4224 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 536 -ip 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-10 23:34
Reported
2024-05-10 23:38
Platform
win7-20240508-en
Max time kernel
119s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1