Malware Analysis Report

2025-06-15 20:09

Sample ID 240602-svy39aff2t
Target Vanta_2.zip
SHA256 9414a90b14548198cad31eacaa78fda296788134f8c2c5b97a8a4da005614b3c
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9414a90b14548198cad31eacaa78fda296788134f8c2c5b97a8a4da005614b3c

Threat Level: Shows suspicious behavior

The file Vanta_2.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

An obfuscated cmd.exe command-line is typically used to evade detection.

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 15:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:33

Platform

win10-20240404-en

Max time kernel

130s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:33

Platform

win10-20240404-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4628 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4628 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=1924 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,129,132,208,105,27,200,155,69,148,63,132,151,193,171,245,199,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,20,242,94,195,217,131,251,84,205,102,235,132,48,175,215,233,58,104,31,171,100,142,213,24,82,96,163,176,159,65,10,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,194,96,31,237,153,228,196,235,67,63,63,123,23,30,120,193,160,114,28,237,7,182,110,235,124,60,229,100,112,94,136,37,48,0,0,0,232,79,168,222,154,162,92,27,204,48,96,255,158,47,79,99,20,169,37,29,155,94,9,190,100,184,17,13,111,203,246,127,213,115,76,184,169,224,214,73,213,153,205,44,10,117,77,20,64,0,0,0,112,220,183,239,118,64,62,76,128,209,29,65,10,41,111,112,40,67,182,43,89,156,210,235,71,186,209,77,72,177,164,8,118,136,26,76,208,22,136,231,188,225,12,229,76,242,70,122,69,130,209,202,109,24,89,92,54,167,97,241,149,119,207,64), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,129,132,208,105,27,200,155,69,148,63,132,151,193,171,245,199,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,20,242,94,195,217,131,251,84,205,102,235,132,48,175,215,233,58,104,31,171,100,142,213,24,82,96,163,176,159,65,10,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,194,96,31,237,153,228,196,235,67,63,63,123,23,30,120,193,160,114,28,237,7,182,110,235,124,60,229,100,112,94,136,37,48,0,0,0,232,79,168,222,154,162,92,27,204,48,96,255,158,47,79,99,20,169,37,29,155,94,9,190,100,184,17,13,111,203,246,127,213,115,76,184,169,224,214,73,213,153,205,44,10,117,77,20,64,0,0,0,112,220,183,239,118,64,62,76,128,209,29,65,10,41,111,112,40,67,182,43,89,156,210,235,71,186,209,77,72,177,164,8,118,136,26,76,208,22,136,231,188,225,12,229,76,242,70,122,69,130,209,202,109,24,89,92,54,167,97,241,149,119,207,64), $null, 'CurrentUser')

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\5eee07e9-693e-4b04-898b-6377be119d3a.tmp.node

MD5 aa8da32ebca307d4f99cf2da290afd22
SHA1 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256 ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512 d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

\Users\Admin\AppData\Local\Temp\9e1204e9-8d20-4683-be32-c6ea70fa6acd.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

memory/5044-24-0x000001B9A1250000-0x000001B9A1272000-memory.dmp

memory/5044-27-0x000001B9A1400000-0x000001B9A1476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxphrtsi.4rv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5044-54-0x000001B9A1580000-0x000001B9A15D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:33

Platform

win11-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4652 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 3720 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4308 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 4968 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1804,i,13315901716799113508,4177451301677030067,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2020 --field-trial-handle=1804,i,13315901716799113508,4177451301677030067,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,84,247,95,191,127,65,164,7,108,14,99,167,79,145,68,0,23,63,137,200,229,48,25,187,125,154,136,244,216,122,194,233,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,174,133,137,58,194,152,7,254,63,115,138,192,110,39,205,26,84,32,203,77,169,223,134,144,91,87,94,120,158,183,198,139,48,0,0,0,51,240,13,34,140,172,98,245,132,204,94,122,239,21,90,91,7,173,16,206,243,159,155,246,206,122,172,130,69,238,124,72,110,14,65,215,50,99,215,38,127,198,71,209,254,163,67,51,64,0,0,0,226,164,140,243,68,213,186,44,50,107,36,163,86,98,166,208,144,217,29,216,38,197,247,81,229,70,80,89,44,9,59,199,208,128,66,45,196,130,11,45,55,179,64,172,67,212,88,236,137,183,214,204,179,188,80,58,219,144,206,168,13,80,69,252), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,84,247,95,191,127,65,164,7,108,14,99,167,79,145,68,0,23,63,137,200,229,48,25,187,125,154,136,244,216,122,194,233,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,174,133,137,58,194,152,7,254,63,115,138,192,110,39,205,26,84,32,203,77,169,223,134,144,91,87,94,120,158,183,198,139,48,0,0,0,51,240,13,34,140,172,98,245,132,204,94,122,239,21,90,91,7,173,16,206,243,159,155,246,206,122,172,130,69,238,124,72,110,14,65,215,50,99,215,38,127,198,71,209,254,163,67,51,64,0,0,0,226,164,140,243,68,213,186,44,50,107,36,163,86,98,166,208,144,217,29,216,38,197,247,81,229,70,80,89,44,9,59,199,208,128,66,45,196,130,11,45,55,179,64,172,67,212,88,236,137,183,214,204,179,188,80,58,219,144,206,168,13,80,69,252), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,229,245,191,182,116,196,172,135,92,62,208,230,226,209,31,192,16,77,45,177,133,120,6,42,199,39,137,78,15,100,247,138,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,251,41,111,16,231,188,165,60,91,228,157,179,238,156,70,106,241,213,122,44,127,169,183,152,64,186,117,78,212,59,236,110,48,0,0,0,151,38,209,60,169,118,114,250,113,124,112,151,191,43,179,192,208,227,124,17,191,222,27,175,80,52,49,13,80,8,8,222,17,54,104,68,124,92,221,143,249,139,245,124,129,40,175,81,64,0,0,0,197,221,147,19,175,181,29,12,187,158,206,80,101,122,174,32,210,69,234,24,93,61,165,44,50,34,119,140,206,52,102,181,227,5,84,163,173,252,204,86,206,148,14,197,48,91,49,84,240,125,90,8,127,182,78,40,212,33,56,128,92,217,115,226), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,229,245,191,182,116,196,172,135,92,62,208,230,226,209,31,192,16,77,45,177,133,120,6,42,199,39,137,78,15,100,247,138,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,251,41,111,16,231,188,165,60,91,228,157,179,238,156,70,106,241,213,122,44,127,169,183,152,64,186,117,78,212,59,236,110,48,0,0,0,151,38,209,60,169,118,114,250,113,124,112,151,191,43,179,192,208,227,124,17,191,222,27,175,80,52,49,13,80,8,8,222,17,54,104,68,124,92,221,143,249,139,245,124,129,40,175,81,64,0,0,0,197,221,147,19,175,181,29,12,187,158,206,80,101,122,174,32,210,69,234,24,93,61,165,44,50,34,119,140,206,52,102,181,227,5,84,163,173,252,204,86,206,148,14,197,48,91,49,84,240,125,90,8,127,182,78,40,212,33,56,128,92,217,115,226), $null, 'CurrentUser')

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1336 --field-trial-handle=1804,i,13315901716799113508,4177451301677030067,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FR 51.38.43.18:443 api.gofile.io tcp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\92739948-3847-406c-8710-566a0e463b12.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

C:\Users\Admin\AppData\Local\Temp\00ead14d-7e54-4b24-93ed-811972e8a387.tmp.node

MD5 aa8da32ebca307d4f99cf2da290afd22
SHA1 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256 ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512 d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

memory/4372-16-0x000001B73DAB0000-0x000001B73DAD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjx1jily.fqm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4372-20-0x000001B756180000-0x000001B7561D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f69f145ee494b2d67c5d50108c862d4a
SHA1 68f36b9bd553beb2a7eec5f4a8fef317703c77e1
SHA256 06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7
SHA512 302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0cb10f06f4bd19bfda39ddabbeb66be7
SHA1 fa4dbe8d73f76669fcae8b456a59b55bbc75c66f
SHA256 93083452e49af786b11cec45977aec8924ea4312ffba4a1d3c6d8c679b4acb50
SHA512 c838f84af0ef903d954cf0d33c87830bb53452405c1ef8f9af2625125bafdf4fed1151ec5e5901a6ad0fcd963b9b31bb3173fc5c246a53a75af9501abf316b22

C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

memory/1396-53-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-52-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-51-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-58-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-60-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-63-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-62-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-61-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-59-0x000001CF72500000-0x000001CF72501000-memory.dmp

memory/1396-57-0x000001CF72500000-0x000001CF72501000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:32

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe

"C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:32

Platform

win11-20240508-en

Max time kernel

87s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe

"C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe"

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:33

Platform

win10-20240404-en

Max time kernel

210s

Max time network

200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2084 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4680 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 3376 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3376 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4680 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4680 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4680 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe

"C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe"

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1736,i,2414787948733473757,9032102876269189595,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=1952 --field-trial-handle=1736,i,2414787948733473757,9032102876269189595,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,129,132,208,105,27,200,155,69,148,63,132,151,193,171,245,199,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,20,242,94,195,217,131,251,84,205,102,235,132,48,175,215,233,58,104,31,171,100,142,213,24,82,96,163,176,159,65,10,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,194,96,31,237,153,228,196,235,67,63,63,123,23,30,120,193,160,114,28,237,7,182,110,235,124,60,229,100,112,94,136,37,48,0,0,0,232,79,168,222,154,162,92,27,204,48,96,255,158,47,79,99,20,169,37,29,155,94,9,190,100,184,17,13,111,203,246,127,213,115,76,184,169,224,214,73,213,153,205,44,10,117,77,20,64,0,0,0,112,220,183,239,118,64,62,76,128,209,29,65,10,41,111,112,40,67,182,43,89,156,210,235,71,186,209,77,72,177,164,8,118,136,26,76,208,22,136,231,188,225,12,229,76,242,70,122,69,130,209,202,109,24,89,92,54,167,97,241,149,119,207,64), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,129,132,208,105,27,200,155,69,148,63,132,151,193,171,245,199,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,20,242,94,195,217,131,251,84,205,102,235,132,48,175,215,233,58,104,31,171,100,142,213,24,82,96,163,176,159,65,10,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,194,96,31,237,153,228,196,235,67,63,63,123,23,30,120,193,160,114,28,237,7,182,110,235,124,60,229,100,112,94,136,37,48,0,0,0,232,79,168,222,154,162,92,27,204,48,96,255,158,47,79,99,20,169,37,29,155,94,9,190,100,184,17,13,111,203,246,127,213,115,76,184,169,224,214,73,213,153,205,44,10,117,77,20,64,0,0,0,112,220,183,239,118,64,62,76,128,209,29,65,10,41,111,112,40,67,182,43,89,156,210,235,71,186,209,77,72,177,164,8,118,136,26,76,208,22,136,231,188,225,12,229,76,242,70,122,69,130,209,202,109,24,89,92,54,167,97,241,149,119,207,64), $null, 'CurrentUser')

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2312 --field-trial-handle=1736,i,2414787948733473757,9032102876269189595,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 store3.gofile.io udp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 233.10.175.136.in-addr.arpa udp
FR 51.38.43.18:443 api.gofile.io tcp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\chrome_100_percent.pak

MD5 8626e1d68e87f86c5b4dabdf66591913
SHA1 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c
SHA256 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59
SHA512 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\ffmpeg.dll

MD5 6418dfc9980cc0416a327961dacd41df
SHA1 2e32ab8ea0059606dfe66e978c271e0852406215
SHA256 04bd8ee92194f076686eab2a94a119629b6d61e554782a0d4520359f1ceb24a9
SHA512 d3e98fe91bfa4f7b9363d8fbb6997f20f76a638bcb5345d9280f919a4bf13dfa02d190534d1965eccd95f2300f6b4d29b6eaec5d544e5428377d1e26daf501a1

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\libGLESv2.dll

MD5 ad3edee84b49923e4847119eb4d6c6b7
SHA1 8649be26571d3fa645c416f36c1bdc0b27f1d478
SHA256 51c9f2e9aecf5745ad343185cd39a05f581c2062d644bedcb25a5ef4b9624591
SHA512 e504996b8371f294fa8a5173da48256e9070156249bdd7431e3adeacbd99f7cf39dc3c0876c4aa11da8d1932147cfaff91764c517a70d69d8c8e4876abbeea56

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\libEGL.dll

MD5 13318cb90b385fb918ba6e07f1fd8d83
SHA1 899985a7608268893c7fc1c9810568bdd8294b81
SHA256 53a2d4c5ae582f15aad481e75e516ddabce9b756e553bed33720a66d2c5f736d
SHA512 b5418f6bd2ab883dc1ef4d9f2c0a976296d06fe1309c6db7331a3470f198505561cabd41ecd05e675b90076196b4f82e8a9ef0574cfe96869bfb24d07cc82450

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\icudtl.dat

MD5 2c367970ac87a9275eeec5629bb6fc3d
SHA1 399324d1aeee5e74747a6873501a1ee5aac005ee
SHA256 17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de
SHA512 f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\chrome_200_percent.pak

MD5 48515d600258d60019c6b9c6421f79f6
SHA1 0ef0b44641d38327a360aa6954b3b6e5aab2af16
SHA256 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce
SHA512 b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\resources.pak

MD5 9d000106fc3192e4c3d47031cf450131
SHA1 814c455baba7dd4d9354ed061522fc4caad3e7b4
SHA256 d0e884b68e2b79162e88b5d4a593c3bb4a7c60c5c62f4e3cc69a346727e6f7eb
SHA512 b19e926fc5223375685854a0b26a04efdcd8128e44b3b56f3ed2cccb860b9069ff6e49dbae053a4287f12de6796643021a316baaf3f8505f5574171d8c6cf885

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\LICENSES.chromium.html

MD5 c3528648bedbde1223a2faab1a3f9af3
SHA1 934d3c8f184258338ff380964ed89053ce69ac5b
SHA256 57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2
SHA512 3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\v8_context_snapshot.bin

MD5 4d89b46abac43cfaec5c80ab2f735e15
SHA1 8985d96af0017b78c9b3791ea2ead72f3e32c844
SHA256 4f69d3512c141d88a6137b08a1da04ab80d8e685bd5e9378865d6de828f0cb5a
SHA512 477a676586b066813f1d469be6891b2cbd9575528d4279fd7da34f359057ee6025f82ce31c57a9e90658d52fd2e94779bd5a8a9c3d8f2283874450f4285da3bb

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\snapshot_blob.bin

MD5 ac47bd259a01da6c51f750ea210b52bf
SHA1 d6682fc4a07ff2313bc8428137f533e8947692a3
SHA256 e87fb952df8e36a5461f328c37afd701f20c427810824e9541709cccb87c22b3
SHA512 9bbd6e39597181da2cdaa0e3b4569e0a7a67b44f37be20b0bbe7cb6323501835427ce84044203c66c98b98fcf4e8e356e983be0e085f3020df93022d9c7e0135

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\vk_swiftshader.dll

MD5 30d193f1976035cebec2c2d8f071c556
SHA1 97b1d811743f03e888c22d975c9eb77ba92142b9
SHA256 600e158b7d7fb95eb63552da1ae8159a6eb9bb04ff6341d11db2d10bd6c30c8e
SHA512 4eb6ec91fb060f67ea126c9c7dd7f672161d86302db41c7d999f33239a7c18062cc020c06ab9571f8023c846d22bd0fa5c020fb4c710bf6a21472002dccb6226

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\vulkan-1.dll

MD5 7fdd1bec727e2b389c8ca84c407446c6
SHA1 a91343d9f52883325f52f28c5dd142f4ae07b3ef
SHA256 d04035c59f49444bd3cafd71296afd70bad5daa6e28bf5d7de3ffd0e36a85938
SHA512 2fdd95185507be9bcbf6cfe1f05ba47e71203b1dc3ce4cc1553e5fcfb576ab89bf018a8927fc5e6e451b00f56f7abb5f2efd504e1a674b42dbe80deeb13d669a

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\af.pak

MD5 464e5eeaba5eff8bc93995ba2cb2d73f
SHA1 3b216e0c5246c874ad0ad7d3e1636384dad2255d
SHA256 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1
SHA512 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ca.pak

MD5 83f9f785483cd92a73843ed98e674f86
SHA1 70e223dba0ecc5cf3f5fcf32278d97ff864c8024
SHA256 f7f54b55a917a0f68e4b7ed7a3e6feabb224c52d09786b939712607ebe8ab0ea
SHA512 df231f6774a9568cc4b85ad18d13c31cfb4de78830c72900ebd613d580e914e85eff85330ac9aa85246a0e4949891fdfb224ac615a03fcb0ce05b989391963e8

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\cs.pak

MD5 f36f1b2ff12fb87a578c36f73f5aac83
SHA1 73f61f7b6f191468ff4d9566a0bb6eccf1069cac
SHA256 877a0a3dcb5d393365b2f775faff0d3593dd84b380a27dc72025597061a50ba7
SHA512 c61a38f937dcc90c7dd5b87d9514147b6362d339d9af85bcb3677bb12ae5715d05426f6e67ffd3b441cc41530883a227096b4135b98f2d5c73f51612e0a0e4c9

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\bn.pak

MD5 9340520696e7cb3c2495a78893e50add
SHA1 eed5aeef46131e4c70cd578177c527b656d08586
SHA256 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39
SHA512 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\bg.pak

MD5 38bcabb6a0072b3a5f8b86b693eb545d
SHA1 d36c8549fe0f69d05ffdaffa427d3ddf68dd6d89
SHA256 898621731ac3471a41f8b3a7bf52e7f776e8928652b37154bc7c1299f1fd92e1
SHA512 002adbdc17b6013becc4909daf2febb74ce88733c78e968938b792a52c9c5a62834617f606e4cb3774ae2dad9758d2b8678d7764bb6dcfe468881f1107db13ef

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ar.pak

MD5 6352905a290802a05dd3a64d22216f6e
SHA1 11adb10f0678079c8f73779bb039e12329bcaac7
SHA256 00861d9fa5763cc5c3152edb4a5c956c6bc4f56311ce2ed9e6b496181624ab5e
SHA512 0b0dbad8201ebd1a7dc2cfb11325c509efbcced3ac3d337915cf2972defe2304ea9f8af91d9362cb51333459900a80b714e7302a6483ad58fd64404f8410b6ea

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\am.pak

MD5 2c933f084d960f8094e24bee73fa826c
SHA1 91dfddc2cff764275872149d454a8397a1a20ab1
SHA256 fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450
SHA512 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\de.pak

MD5 1b928ff4831916bbe39e4b2e08f52267
SHA1 dd8788bb4d386f7d0b8e685a09cc9ca361b7c31e
SHA256 9c335a4e85b4ac58ed386d89d284be053ef288b2706a4cae433d91625ec1b31e
SHA512 95dc4ecd45708277618a913bd07073a7cc61b642ae14fecc91ac0548898771a522a0672ee67399e5f5c8ca3006c37aa878b74af1f41717b9607c00f49e40124a

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\da.pak

MD5 7ff057b530184205100dbea8635a29a7
SHA1 f6e22b2e37e6d7bf0ca9bec220650f01d1a4a091
SHA256 40b32636ffb813574d8a063ce7e74860ab06b93a9b16dd56b5b6aa602b5e6943
SHA512 09b7b6c280d98f21beeddf1b9e5834462f29d299a64276c198ef3eab466b352695172d2ff118664c34e51a2b73e21949f203ba35b0bb6d3e031ac770e3e6b451

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\es-419.pak

MD5 a510ff6703676bacde7e528823878018
SHA1 6551a7dac1c3fcd839b8d7c6ca92470f30a93d0d
SHA256 77114f519743741a488a9b57cdc7190f0507c37dc3b29811704a048172ba6736
SHA512 e9b75bc92eb077db57f906ef544b2339c4eb4f6eddf65d2570c36a00ab4b8a167a53e869d81150a7d097ecbf4ba19625ad4228f133392cc850352fe66fea47e0

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\en-US.pak

MD5 19d18f8181a4201d542c7195b1e9ff81
SHA1 7debd3cf27bbe200c6a90b34adacb7394cb5929c
SHA256 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb
SHA512 af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\en-GB.pak

MD5 e0c79cf2e5b790386e44b125d8e1a5fc
SHA1 1b75baf8035b81d6494f9f36930bbc8c512e1dbf
SHA256 6b0e81b2198e025eae1e2f6d5d3a33ccce034d1f4bc59e4cade1b5f5adb99f1a
SHA512 e4feb64ce7edf416422127280cf87967a5e6b20436a8ed33932b1bade73f0691ac819449d38fa0d8a81b888d6319f0b3167aa16e225999dfd6e7800d2365f2a6

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\el.pak

MD5 e66a75680f21ce281995f37099045714
SHA1 d553e80658ee1eea5b0912db1ecc4e27b0ed4790
SHA256 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f
SHA512 d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\es.pak

MD5 e42486833449ea57261d5bbdabb8b4e2
SHA1 09734ed71302c7a3bf5f84dee1dfab7732bc0745
SHA256 d539c88c4493cb1d9eae600611e3119fe129ec95149049f4b62fc3a97d78ca61
SHA512 8ad283323c3f2e7a9d2e33eb86c371be6a9e29d9243e0d74d5936606692367212f81825d5c313a8859ff8de84eb6d23cbfc577ca47185392da803717f29e8b24

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\fa.pak

MD5 e861a65f12b38a3def1fe9e933cae275
SHA1 8d083b5902a15a63ef11c7783f12e088d333fcf5
SHA256 f9a8e3b9bbc809f11cc3dc32811940e033bd78a31ec154d28321473f8efa1e4d
SHA512 d1fe91c693c794b4a4d60560800c919977654832e8f6e34fb1ec0ffbf5c411cf35b0a0e22e036dca48a246ab8d6bea0427c5ceb232d460e9c59cf4163d55314c

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\et.pak

MD5 8b3cb5e4b8ac769bde84e5c375c1774e
SHA1 53665908d6ec12095abd766911d8abcc84c6da58
SHA256 c351b84558214420495bed6d882d37496483cc66b0e10400ca872e3fc4145b66
SHA512 b0dff640d32e5c277f2d3441abf823e8859f28f215cfc63fde8a968cbc9b9531aa0394e10fa98284d186323e3357ea2265d762dc034be86bb50f5c55630ab4c5

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\hu.pak

MD5 2aa0a175df21583a68176742400c6508
SHA1 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a
SHA256 b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72
SHA512 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\hr.pak

MD5 cbca0ad35cfa5c4b852cc8f556706b0b
SHA1 608d2e11a40e5e15a2840e248a249d1562ba9846
SHA256 6ea4b1a28cf567cca73ccdb7eec631fffba3b49acc41e3c88b448514578d80da
SHA512 5b6f01c10d613f278d507d43fb0c708b32fd486d9b5a5f31a9837d0b1025da6ff85772b8f39e192cd8625d363be570565fd4eaf0f8d11c17ad6cbd956893022b

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ko.pak

MD5 54ace51d8b687e36a66a2bfde258a550
SHA1 1b2fe7c62e3f2c7deede2034e44980e02afa3b4d
SHA256 8d131066e2fa004e11f9128162bfc354d3254381059d6c852bf88a55859ae3e8
SHA512 50b825a88d646a32a4d620bcdf5ce490c8dfbea628c5256a6918dc647c42385f955396ec5d3b32cfdb50153897cf303cd517bc9f62663b14def2dae42229f640

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\kn.pak

MD5 fccd5d8ad5e1c774771b19dda55d9b9a
SHA1 fabbaf469e4aec44342a7e6f74b837cde2203b71
SHA256 47c77fdf73267865a025a54027865a8d67e26943264a43c6e794ccbd6eec549b
SHA512 c9dc6cf0ff5a4094cc07ce4881319778a076b44651b16a220940d7a587ffaa92b6b80f7264605a3c8e6dd780e9c3d8e4d403d01cd8f94e0122ac19cd4d636aac

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ja.pak

MD5 e9133185d2339d0a2f68c4c739eb3615
SHA1 cfa6db85ec99bb38b734254b7d4a83d12ee5cd00
SHA256 ba2acb635671a48ed0bf8cdc6e0a0318cfb33eb74b4171c6b483b95f2a167bc5
SHA512 e89c886a601943d2089bad27ce9458f95929fd39fd2f88da0545f71e9d18a678eafc303630d0f94ab3af7c77ad19fabdb2616a2d004151232bc6ce1ae8e4c46e

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\it.pak

MD5 8cde7372fc5095e581bf64fb77e04d61
SHA1 0d30e0ae2c401a06ffb4056bab44d2b5d3970492
SHA256 d011fd39c3cbab740a7944a60a8dd48d6f76c563ea473cfd1f569c5e6fc9fa4e
SHA512 83778880ad95b39b5746d512aa116b05928f580f0c5e75b45cddcb80addb24cf079f73f65771e1d75ca18925ea6fdb86283aa060af2cd1308dee53ee728f76e8

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\id.pak

MD5 366d1b2c3759d6ff9c588f53ec9a7c5b
SHA1 e9d5c6e8311c6f7b7c4ad997db0cec5c11cfd754
SHA256 0853a5543923b7a8db5989ebb8ebe8f9fb6271bfa59b94f5843f97de4401e2d8
SHA512 879e72625fd112cec85a6489c590d7e89c65753d2beee259f7393e7377729d40bbb8cd0a2a9fcfde93d14c2cc9a97879312e60ab26035970a632e36d2f8d9e53

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\hi.pak

MD5 bc777a1010c846906d05d75d82f5dea9
SHA1 73bbeeda37164845ca3f4f2827165b4023f8a194
SHA256 ccf7a557d0f8353ff3d656d4c2a4fca2d462ed2cc3d18c599d98f4d57b23c615
SHA512 e6a01b80adfa31fa93d48fc4f1ba9222d21b8ed7734e664e4f274843b46d826ec8863483c0e8647e39ad85988dfe0a2848d32a26ce1fdd8a0eb85e4fe64be292

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\he.pak

MD5 c6937badd93ff4ae6f6a2c9e31f678d5
SHA1 b3175d7bebe340ab08e0d8e85d550a076b073c55
SHA256 3cd4440501bc67d0b2e33e1346ba133fb9a09a8762f2334732f8cc349cd840b7
SHA512 db232d7da04b4a854fd399fa04779469ec6fd0a752c4da7b2eed6d1aeaca4a096130fe326c91d777131d1a8ba32637d884e518f1522e9658d233a35e5eef9397

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\gu.pak

MD5 9e189d21ad5843b69c352466c94cdc4c
SHA1 99af98cc510abe726b54f28488f647ea6f7d4c91
SHA256 9c210e3143f99df59bebea6bdb6e30959f8520d59a20fffd437f7029840bb3a9
SHA512 c3007f45ec20c3c3e763f20be1a5557f548a28757cb032617c20fe7d44b7524368b75b8182de243048aa56b939b2a790b5b85cf359b009c4c20c41089e8992e8

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\fr.pak

MD5 3a5bb07820cf46c0f4a81a25724fe870
SHA1 dbc296c1fc516c60d453253ee341ca4d31554230
SHA256 b62c51b85545b3f5d70ac9c684a111689044636eafaeb196f5d52760e0f96f91
SHA512 0222f7a8bf3a6f77fcb9ab7eb0d03509d15bb8634d556547ed55141d550af241a525cc99eb13957744fe2e6d4732b9dbe4d078cb3555b16af6c13e20b9f4e8a1

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\fil.pak

MD5 d7df2ea381f37d6c92e4f18290c6ffe0
SHA1 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4
SHA256 db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a
SHA512 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\fi.pak

MD5 7243727348009668ded33dd0109118c3
SHA1 aa19e2e340c8328132d12ff79d8fd6b02c512a48
SHA256 6581fca26336f66d8ba898ec1253b237db30e7cd1a25fc788290d7ace96fa6e1
SHA512 e890346915c0891a9f49640f232f6633e25655b969911a6697adfea709cec59bb925678e0b97424936c59d523c3ee9e2dc23f115e20c45ca3ed51ae691d0d7f0

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\lt.pak

MD5 64b08ffc40a605fe74ecc24c3024ee3b
SHA1 516296e8a3114ddbf77601a11faf4326a47975ab
SHA256 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e
SHA512 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\lv.pak

MD5 4468d6a6114d5a7ea3c1173ae9a8250d
SHA1 ef664a6a140fb7a244bce44ff8c73250856d8061
SHA256 0ff66161377be2fb8b2b456a64dd910d8375a2b9f1f6f22333540a77111903d6
SHA512 db4179b53cd44f297f5455a167ceccdd2a384c5296311346fa53f15ef5acab76cd166df13dbdf22b0c85a66455f22218e88c02fda2c5e2f863b9f4e7ea6e9a56

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\mr.pak

MD5 5657d67f6d21b507aab24ff62b0d4701
SHA1 b685a327c525b7e42eece306984e6d88dd803a29
SHA256 671c3cb2a805a63a275ad608d37d0577c6a2813dd67fb6c2b70f8232323aac04
SHA512 637c60834edc6f31c80692274af05e3f78466cd5ddb2fd7c79315b0f54939f41f25c3b30c86fd10751d032def1f99cb853c3186128a76a3a82a6989eaf14a835

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ml.pak

MD5 038b9eb34737bf472fde68b91a40f122
SHA1 64771e91d4fdac0b909c6f446cc2f310be7d1320
SHA256 27b7947e36a521403de094cc563d5eced1e46f98e4d6b872fd424352f798e84d
SHA512 3c96b42ab838f2ad5434e719f5906427a5fb327967d04c8498f3af4e913de833ac9cce6545fcfe0de2dc920cdf54c8b31c1d1527f609f90bcf9728d7bdbaac7d

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\pl.pak

MD5 fbc79131a645b3853b4fa97c2b589a07
SHA1 91c6d4386384efa9074956b9e811a0aac385aa4e
SHA256 0948238576efb502327af4040c1d9eb1346fbf1bdcee35cd46746b170a7ea6a7
SHA512 0559d787bb7e4fa32a70c19cf0d1b2962d3869363904c13f345ef733f1193c73a13bad9600d7a5ffacf60b92cd97c27e27f7c4b7e143d0925fb358498c92f8cf

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\nl.pak

MD5 285f965bdfd40491c0669f41a1c9e2f5
SHA1 b5c17191ab4d152c7793b6dec0a2e8f1fc298a89
SHA256 b20178135b9f21feef0315fb2f2bc574c2876385e607a539ff0ce6ae7faf707b
SHA512 03de0c35bc75fb96cc5871b5d06a49d99b92864541a3a03816c1245bef567401b260ed94b99818f81273395b1ec60a9f6cae22084ef34e01a95cc41da4fbd1b7

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\nb.pak

MD5 55d5ad4eacb12824cfcd89470664c856
SHA1 f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673
SHA256 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261
SHA512 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ms.pak

MD5 aee105366a1870b9d10f0f897e9295db
SHA1 eee9d789a8eeafe593ce77a7c554f92a26a2296f
SHA256 c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939
SHA512 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\pt-BR.pak

MD5 3701247a5ac607053278aea185ee6616
SHA1 8cb40ddd4865347677f8d327792c6edb69012f76
SHA256 7f41c3a58d08d98f21232e7c85839c9dec0053b447bb4dae867d2faadb278d45
SHA512 637070ebc4411fb92bef5ff75eff46602db8ed59021f37f1a0d8201093f047419c558ec1af49c4dbbb4f58e7169e2f2cf04af7e1d11a57d39ab1cf036cb8497c

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\pt-PT.pak

MD5 e032c0d39df2b7bfc71ece3bfe694039
SHA1 6664f303bae983a1bffcba22e9df712bb3cb59d6
SHA256 60a5a7f03d4d54397ca04be0c89d1f67a496b72807c0bd660c076bc945b40339
SHA512 3f12ed39848ad76411d4d84b2ccef59e2346d40c8e7ddbf6e333a2323df737d864126777fb54a15e90283ced2e7f04a7dda561fa2ebe13b30e082988b13e1406

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\sk.pak

MD5 07498676ad49df5cb1a14d91e2fc2353
SHA1 da344ebcc2ed566b45668c8ff5b950cb921af71f
SHA256 b7ba1d08ac8498ea6a37186a51b30d6d0db17136ac734982af4dab97f4a6cd9a
SHA512 548dd27e98700681941ac13e6cf90a70c66520f70df51c75ecfbb32391805ee536a34f3e90400c1cfb34b750c9415378e1a75233db614c94a057da64d3369d91

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ru.pak

MD5 e582616cb61afb76688aa7669936bbff
SHA1 cd2e894a59238ce90be527156243546b4a3fc53e
SHA256 e4edec80c9e29357bcf31eda5d8b046c6c9fbc6434a0b5594b6a906d5f1407d1
SHA512 a5346390b6ec966d75839fb84e8d7284db55065b1a032ecd869a06555cdf116caaad73f9b059c92c17d5a5fb310a41c5f3b2461eee531b231adacb1b3d3d6cec

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ro.pak

MD5 d8b831a4896af7c78c534f1e8676ae37
SHA1 175da19445b975b24a1e7bc8ffafa93d456ed10c
SHA256 3a58f2275ea6a2baa68924b1dab6b0f06abf8b6657a878dea94b0060a95e38f0
SHA512 e7e75dc7f92eb28759b567ec395f2a951c0e71284c75b9e2c4efd92209dda5767d51d51cdf591d04baddcfe88fbc2c8e6851a904d631b69bd801b9568767d948

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\sl.pak

MD5 83ef046784c1b113e827cb744bcb8656
SHA1 f6f3e0e975e7d3ca8e06f1988cb8a1c182eea734
SHA256 ab2079923e2baa27c220df2f1559af8edc785f8e9fe2e12c8ecb0e0e7e7d0a09
SHA512 f62f7e1eee91f5d42d591abbc7cb0fdf639834090824e7ab7f4dffb1e6c108c540074fdbadd5e153caecdb37b722ed9f737f13cbab387685013781949b9ee321

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\sr.pak

MD5 c68c235d8e696c098cf66191e648196b
SHA1 5c967fbbd90403a755d6c4b2411e359884dc8317
SHA256 ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b
SHA512 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\sv.pak

MD5 251682c6f4238bef8ab5471870a5454b
SHA1 2bf36466446abe39d487c61898d335901bbb09b0
SHA256 e1cbce672de3ba3a01272b9b763dcfd8229fba0883df2b4117ac6b0f9916c073
SHA512 de1e507b24e71f60c298253aacff49724b6a8c6336455d8dfcc6e939e53ed5e7a95dc5574e66a7fae38b6666446ac9cd83e5ad1b794b4ffa38d06052663c1f45

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\sw.pak

MD5 67a443a5c2eaad32625edb5f8deb7852
SHA1 a6137841e8e7736c5ede1d0dc0ce3a44dc41013f
SHA256 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd
SHA512 e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\te.pak

MD5 41e49a1ef6850d90e0cbdc720c45ea5a
SHA1 a2fbe1585a1b653ac6acccaf6184ae2de3e007af
SHA256 aa2b9d1ad8591e91872c3fee62b111b74d6e7e890a47d0bcc388947ae5245290
SHA512 687ff66471248104f8780f142e1810ccc7275857e4bd188447d01cecbe74ebac4070ab135d4a7111bc5f4ae17247dd865f21a2d3e73031534dac1f5117bc4570

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ta.pak

MD5 292f763cb8eb588659eb7cc25cf57d2e
SHA1 dc42622f272843cb3afce9968146b85a98485237
SHA256 d5bfe0699342b8bba6c4c73c115b1c7f3f903c4ed95d77461c34369f2f60d5ee
SHA512 100ec32914f0d140baa414180cb2ba34e95f75ab73a0c036d6d5ebb64cc69b2b7c62b9e3f9de192bab8ddac3b387b953bed2ca1fd3bf0aab0198b9c1f2911151

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\th.pak

MD5 f9ff2275865f2cdebb9b0d19d4fb57a1
SHA1 e83c6c8e0005bf34771af3f1c0c9d8ebaa822f95
SHA256 3d4556bc0f26b89d090a8a779a8fda8f6fbe157a23181cbfb1d6c67a6212b864
SHA512 96f596bb564e62bbafe62774fba1cefa644feff47a331e54cd7dc9b85b29f2a2e8e785e85d90cccc27f9a1c735b0a8c6dbe01fa244601f1359194f64a49ee6d0

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\vi.pak

MD5 ebb5db1dbb64895b1a25120d5ac9b5e4
SHA1 810fa53a97fe42994f8a68698d582651d69cfd51
SHA256 ef3ddadb90dc73b73e25e9608626ce68d6778445812b8bd2f6c81e1f1e4bff16
SHA512 fba594183c7b672204330ca698f1e195026fc51d4e05db2c49e58a896c3b5e11e23286be0d6ffae3ec321e6c08322544df3c876dbce3c2e69a951985a84a2c91

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\ur.pak

MD5 1ca4fa13bd0089d65da7cd2376feb4c6
SHA1 b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c
SHA256 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f
SHA512 d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\uk.pak

MD5 88d51b6df9f3cec54eda732dcf2c63fa
SHA1 a826200f112d5c69f1aa5837bc40d4c423515029
SHA256 e914b8956745a14d9d64f12698805e0910f9d3581dd380468949b54576fad2a6
SHA512 3ed8f2090497597d4e2583901993331de19f9dc787ea886dabdaf22a79aefa2956e63501c9a50be34fabf7287b6751f50d9a5105e4f16a579961ebc0d6eff14e

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\tr.pak

MD5 1525dd38ca529c56f9d3e08293385690
SHA1 e0dfb9d60a3469d701dcb9ead8f8cd2cfe6fd604
SHA256 5a7e1c8b572f67ed40e9d5107ddd6f8791b03138bb9933cfb26f1678b2c4a9cd
SHA512 195ffc165e45a51c12b03252759c5e1ff684e57b5994aeca608d40ef6799f29812add6fb2479e8e8c1655799f4dbf29e47272324b857b9161ad43a1b271eddfd

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\zh-TW.pak

MD5 c651e23053764c38a4e8a7f34317f19b
SHA1 93cd303c91024748d283c3779f11402cfb4f5c0b
SHA256 9689ba3f2dc7248a3ab5db3b97d473e29464afbc7f2d1c7035f7e8e9a1c05aa4
SHA512 1b7951fc4dcc2c08811dd3449fe2ce1302286b3eca21675adefa25a806ae7dcf91c565a111032fc5fda4dd9f5231875f0c77cdfd22ecc7d435450080d853a503

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\locales\zh-CN.pak

MD5 0d5b72258b56c584113a022e16777387
SHA1 77f91e8c36befb818229ef8fef068e97f60ecf0f
SHA256 539f0bfdb461bf777aab14a4baaf47c8c32ae1856cc4ac93b23ce73dc50ba02a
SHA512 632c4ca60529c717fb2ba700d8f12017d097e67045639e2c30144a0372cecf595a2727d3505f019b91e8a15fe3259f2727bfb24e970dea8080a11e1a3dfa2068

C:\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

\Users\Admin\AppData\Local\Temp\nsq7A71.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\1b74dcd8-4eb9-44ea-b6bb-0581b9600cc0.tmp.node

MD5 aa8da32ebca307d4f99cf2da290afd22
SHA1 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256 ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512 d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

\Users\Admin\AppData\Local\Temp\edc9869e-99d0-4838-87c2-9d1229575994.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

memory/3704-576-0x000001DAB6610000-0x000001DAB6632000-memory.dmp

memory/3704-580-0x000001DACF520000-0x000001DACF596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2utydbvl.ink.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3704-607-0x000001DACEA00000-0x000001DACEA50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\xx_lol\Browser.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:32

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4440 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 896 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 3096 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3096 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 896 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 896 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 4072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 4072 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 896 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe

"C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe"

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1872,i,7575093169054160041,1976887113708811898,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2064 --field-trial-handle=1872,i,7575093169054160041,1976887113708811898,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,103,196,233,202,173,72,72,111,7,114,28,211,134,137,138,195,205,140,24,52,98,3,53,175,108,94,233,109,120,13,191,242,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,253,164,105,22,43,133,116,221,247,237,98,114,58,232,68,141,195,104,11,211,142,38,107,135,14,111,162,45,53,235,31,47,48,0,0,0,139,129,220,128,239,193,169,178,87,248,198,148,105,101,8,160,179,42,9,89,217,234,203,86,195,57,172,165,43,228,26,244,208,40,230,36,7,44,174,141,191,53,41,170,221,213,229,5,64,0,0,0,198,79,68,77,86,136,101,82,59,161,186,12,144,63,199,97,136,128,241,73,129,107,45,134,96,189,169,77,167,179,78,57,191,71,192,110,77,78,200,202,72,215,75,168,16,28,54,110,129,153,155,136,70,130,53,219,254,80,11,199,4,34,251,178), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,103,196,233,202,173,72,72,111,7,114,28,211,134,137,138,195,205,140,24,52,98,3,53,175,108,94,233,109,120,13,191,242,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,253,164,105,22,43,133,116,221,247,237,98,114,58,232,68,141,195,104,11,211,142,38,107,135,14,111,162,45,53,235,31,47,48,0,0,0,139,129,220,128,239,193,169,178,87,248,198,148,105,101,8,160,179,42,9,89,217,234,203,86,195,57,172,165,43,228,26,244,208,40,230,36,7,44,174,141,191,53,41,170,221,213,229,5,64,0,0,0,198,79,68,77,86,136,101,82,59,161,186,12,144,63,199,97,136,128,241,73,129,107,45,134,96,189,169,77,167,179,78,57,191,71,192,110,77,78,200,202,72,215,75,168,16,28,54,110,129,153,155,136,70,130,53,219,254,80,11,199,4,34,251,178), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,2,79,85,4,150,205,10,80,53,167,214,6,202,8,125,236,233,236,218,25,253,12,145,187,174,237,139,110,182,74,179,216,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,154,21,59,141,97,3,114,168,133,83,221,83,89,36,173,229,203,138,215,206,161,182,195,227,173,232,148,189,209,104,127,202,48,0,0,0,3,96,151,243,80,230,3,128,202,108,106,90,64,104,85,51,109,94,27,191,48,86,84,213,77,136,7,79,223,4,40,79,96,18,102,94,125,131,10,49,97,43,139,78,29,195,162,171,64,0,0,0,239,70,100,246,136,204,183,200,225,215,165,10,64,212,176,59,73,238,67,52,219,250,12,222,213,64,193,91,107,135,105,94,226,33,5,92,118,249,43,50,182,208,86,0,153,253,66,70,103,128,73,177,145,140,88,106,193,154,38,168,189,109,25,6), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,2,79,85,4,150,205,10,80,53,167,214,6,202,8,125,236,233,236,218,25,253,12,145,187,174,237,139,110,182,74,179,216,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,154,21,59,141,97,3,114,168,133,83,221,83,89,36,173,229,203,138,215,206,161,182,195,227,173,232,148,189,209,104,127,202,48,0,0,0,3,96,151,243,80,230,3,128,202,108,106,90,64,104,85,51,109,94,27,191,48,86,84,213,77,136,7,79,223,4,40,79,96,18,102,94,125,131,10,49,97,43,139,78,29,195,162,171,64,0,0,0,239,70,100,246,136,204,183,200,225,215,165,10,64,212,176,59,73,238,67,52,219,250,12,222,213,64,193,91,107,135,105,94,226,33,5,92,118,249,43,50,182,208,86,0,153,253,66,70,103,128,73,177,145,140,88,106,193,154,38,168,189,109,25,6), $null, 'CurrentUser')

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1872,i,7575093169054160041,1976887113708811898,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 store3.gofile.io udp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 233.10.175.136.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FR 51.38.43.18:443 api.gofile.io tcp
US 136.175.10.233:443 store3.gofile.io tcp
FR 51.38.43.18:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 discord.com udp
FR 51.38.43.18:443 api.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\chrome_100_percent.pak

MD5 8626e1d68e87f86c5b4dabdf66591913
SHA1 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c
SHA256 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59
SHA512 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\chrome_200_percent.pak

MD5 48515d600258d60019c6b9c6421f79f6
SHA1 0ef0b44641d38327a360aa6954b3b6e5aab2af16
SHA256 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce
SHA512 b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\libEGL.dll

MD5 13318cb90b385fb918ba6e07f1fd8d83
SHA1 899985a7608268893c7fc1c9810568bdd8294b81
SHA256 53a2d4c5ae582f15aad481e75e516ddabce9b756e553bed33720a66d2c5f736d
SHA512 b5418f6bd2ab883dc1ef4d9f2c0a976296d06fe1309c6db7331a3470f198505561cabd41ecd05e675b90076196b4f82e8a9ef0574cfe96869bfb24d07cc82450

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\icudtl.dat

MD5 2c367970ac87a9275eeec5629bb6fc3d
SHA1 399324d1aeee5e74747a6873501a1ee5aac005ee
SHA256 17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de
SHA512 f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\ffmpeg.dll

MD5 6418dfc9980cc0416a327961dacd41df
SHA1 2e32ab8ea0059606dfe66e978c271e0852406215
SHA256 04bd8ee92194f076686eab2a94a119629b6d61e554782a0d4520359f1ceb24a9
SHA512 d3e98fe91bfa4f7b9363d8fbb6997f20f76a638bcb5345d9280f919a4bf13dfa02d190534d1965eccd95f2300f6b4d29b6eaec5d544e5428377d1e26daf501a1

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\libGLESv2.dll

MD5 ad3edee84b49923e4847119eb4d6c6b7
SHA1 8649be26571d3fa645c416f36c1bdc0b27f1d478
SHA256 51c9f2e9aecf5745ad343185cd39a05f581c2062d644bedcb25a5ef4b9624591
SHA512 e504996b8371f294fa8a5173da48256e9070156249bdd7431e3adeacbd99f7cf39dc3c0876c4aa11da8d1932147cfaff91764c517a70d69d8c8e4876abbeea56

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\LICENSES.chromium.html

MD5 c3528648bedbde1223a2faab1a3f9af3
SHA1 934d3c8f184258338ff380964ed89053ce69ac5b
SHA256 57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2
SHA512 3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\resources.pak

MD5 9d000106fc3192e4c3d47031cf450131
SHA1 814c455baba7dd4d9354ed061522fc4caad3e7b4
SHA256 d0e884b68e2b79162e88b5d4a593c3bb4a7c60c5c62f4e3cc69a346727e6f7eb
SHA512 b19e926fc5223375685854a0b26a04efdcd8128e44b3b56f3ed2cccb860b9069ff6e49dbae053a4287f12de6796643021a316baaf3f8505f5574171d8c6cf885

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\snapshot_blob.bin

MD5 ac47bd259a01da6c51f750ea210b52bf
SHA1 d6682fc4a07ff2313bc8428137f533e8947692a3
SHA256 e87fb952df8e36a5461f328c37afd701f20c427810824e9541709cccb87c22b3
SHA512 9bbd6e39597181da2cdaa0e3b4569e0a7a67b44f37be20b0bbe7cb6323501835427ce84044203c66c98b98fcf4e8e356e983be0e085f3020df93022d9c7e0135

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\v8_context_snapshot.bin

MD5 4d89b46abac43cfaec5c80ab2f735e15
SHA1 8985d96af0017b78c9b3791ea2ead72f3e32c844
SHA256 4f69d3512c141d88a6137b08a1da04ab80d8e685bd5e9378865d6de828f0cb5a
SHA512 477a676586b066813f1d469be6891b2cbd9575528d4279fd7da34f359057ee6025f82ce31c57a9e90658d52fd2e94779bd5a8a9c3d8f2283874450f4285da3bb

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\vk_swiftshader.dll

MD5 30d193f1976035cebec2c2d8f071c556
SHA1 97b1d811743f03e888c22d975c9eb77ba92142b9
SHA256 600e158b7d7fb95eb63552da1ae8159a6eb9bb04ff6341d11db2d10bd6c30c8e
SHA512 4eb6ec91fb060f67ea126c9c7dd7f672161d86302db41c7d999f33239a7c18062cc020c06ab9571f8023c846d22bd0fa5c020fb4c710bf6a21472002dccb6226

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\vulkan-1.dll

MD5 7fdd1bec727e2b389c8ca84c407446c6
SHA1 a91343d9f52883325f52f28c5dd142f4ae07b3ef
SHA256 d04035c59f49444bd3cafd71296afd70bad5daa6e28bf5d7de3ffd0e36a85938
SHA512 2fdd95185507be9bcbf6cfe1f05ba47e71203b1dc3ce4cc1553e5fcfb576ab89bf018a8927fc5e6e451b00f56f7abb5f2efd504e1a674b42dbe80deeb13d669a

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\af.pak

MD5 464e5eeaba5eff8bc93995ba2cb2d73f
SHA1 3b216e0c5246c874ad0ad7d3e1636384dad2255d
SHA256 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1
SHA512 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ar.pak

MD5 6352905a290802a05dd3a64d22216f6e
SHA1 11adb10f0678079c8f73779bb039e12329bcaac7
SHA256 00861d9fa5763cc5c3152edb4a5c956c6bc4f56311ce2ed9e6b496181624ab5e
SHA512 0b0dbad8201ebd1a7dc2cfb11325c509efbcced3ac3d337915cf2972defe2304ea9f8af91d9362cb51333459900a80b714e7302a6483ad58fd64404f8410b6ea

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\bg.pak

MD5 38bcabb6a0072b3a5f8b86b693eb545d
SHA1 d36c8549fe0f69d05ffdaffa427d3ddf68dd6d89
SHA256 898621731ac3471a41f8b3a7bf52e7f776e8928652b37154bc7c1299f1fd92e1
SHA512 002adbdc17b6013becc4909daf2febb74ce88733c78e968938b792a52c9c5a62834617f606e4cb3774ae2dad9758d2b8678d7764bb6dcfe468881f1107db13ef

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\am.pak

MD5 2c933f084d960f8094e24bee73fa826c
SHA1 91dfddc2cff764275872149d454a8397a1a20ab1
SHA256 fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450
SHA512 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\cs.pak

MD5 f36f1b2ff12fb87a578c36f73f5aac83
SHA1 73f61f7b6f191468ff4d9566a0bb6eccf1069cac
SHA256 877a0a3dcb5d393365b2f775faff0d3593dd84b380a27dc72025597061a50ba7
SHA512 c61a38f937dcc90c7dd5b87d9514147b6362d339d9af85bcb3677bb12ae5715d05426f6e67ffd3b441cc41530883a227096b4135b98f2d5c73f51612e0a0e4c9

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\el.pak

MD5 e66a75680f21ce281995f37099045714
SHA1 d553e80658ee1eea5b0912db1ecc4e27b0ed4790
SHA256 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f
SHA512 d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\de.pak

MD5 1b928ff4831916bbe39e4b2e08f52267
SHA1 dd8788bb4d386f7d0b8e685a09cc9ca361b7c31e
SHA256 9c335a4e85b4ac58ed386d89d284be053ef288b2706a4cae433d91625ec1b31e
SHA512 95dc4ecd45708277618a913bd07073a7cc61b642ae14fecc91ac0548898771a522a0672ee67399e5f5c8ca3006c37aa878b74af1f41717b9607c00f49e40124a

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\da.pak

MD5 7ff057b530184205100dbea8635a29a7
SHA1 f6e22b2e37e6d7bf0ca9bec220650f01d1a4a091
SHA256 40b32636ffb813574d8a063ce7e74860ab06b93a9b16dd56b5b6aa602b5e6943
SHA512 09b7b6c280d98f21beeddf1b9e5834462f29d299a64276c198ef3eab466b352695172d2ff118664c34e51a2b73e21949f203ba35b0bb6d3e031ac770e3e6b451

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ca.pak

MD5 83f9f785483cd92a73843ed98e674f86
SHA1 70e223dba0ecc5cf3f5fcf32278d97ff864c8024
SHA256 f7f54b55a917a0f68e4b7ed7a3e6feabb224c52d09786b939712607ebe8ab0ea
SHA512 df231f6774a9568cc4b85ad18d13c31cfb4de78830c72900ebd613d580e914e85eff85330ac9aa85246a0e4949891fdfb224ac615a03fcb0ce05b989391963e8

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\bn.pak

MD5 9340520696e7cb3c2495a78893e50add
SHA1 eed5aeef46131e4c70cd578177c527b656d08586
SHA256 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39
SHA512 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\en-GB.pak

MD5 e0c79cf2e5b790386e44b125d8e1a5fc
SHA1 1b75baf8035b81d6494f9f36930bbc8c512e1dbf
SHA256 6b0e81b2198e025eae1e2f6d5d3a33ccce034d1f4bc59e4cade1b5f5adb99f1a
SHA512 e4feb64ce7edf416422127280cf87967a5e6b20436a8ed33932b1bade73f0691ac819449d38fa0d8a81b888d6319f0b3167aa16e225999dfd6e7800d2365f2a6

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\et.pak

MD5 8b3cb5e4b8ac769bde84e5c375c1774e
SHA1 53665908d6ec12095abd766911d8abcc84c6da58
SHA256 c351b84558214420495bed6d882d37496483cc66b0e10400ca872e3fc4145b66
SHA512 b0dff640d32e5c277f2d3441abf823e8859f28f215cfc63fde8a968cbc9b9531aa0394e10fa98284d186323e3357ea2265d762dc034be86bb50f5c55630ab4c5

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\es.pak

MD5 e42486833449ea57261d5bbdabb8b4e2
SHA1 09734ed71302c7a3bf5f84dee1dfab7732bc0745
SHA256 d539c88c4493cb1d9eae600611e3119fe129ec95149049f4b62fc3a97d78ca61
SHA512 8ad283323c3f2e7a9d2e33eb86c371be6a9e29d9243e0d74d5936606692367212f81825d5c313a8859ff8de84eb6d23cbfc577ca47185392da803717f29e8b24

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\es-419.pak

MD5 a510ff6703676bacde7e528823878018
SHA1 6551a7dac1c3fcd839b8d7c6ca92470f30a93d0d
SHA256 77114f519743741a488a9b57cdc7190f0507c37dc3b29811704a048172ba6736
SHA512 e9b75bc92eb077db57f906ef544b2339c4eb4f6eddf65d2570c36a00ab4b8a167a53e869d81150a7d097ecbf4ba19625ad4228f133392cc850352fe66fea47e0

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\en-US.pak

MD5 19d18f8181a4201d542c7195b1e9ff81
SHA1 7debd3cf27bbe200c6a90b34adacb7394cb5929c
SHA256 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb
SHA512 af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\fa.pak

MD5 e861a65f12b38a3def1fe9e933cae275
SHA1 8d083b5902a15a63ef11c7783f12e088d333fcf5
SHA256 f9a8e3b9bbc809f11cc3dc32811940e033bd78a31ec154d28321473f8efa1e4d
SHA512 d1fe91c693c794b4a4d60560800c919977654832e8f6e34fb1ec0ffbf5c411cf35b0a0e22e036dca48a246ab8d6bea0427c5ceb232d460e9c59cf4163d55314c

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\fi.pak

MD5 7243727348009668ded33dd0109118c3
SHA1 aa19e2e340c8328132d12ff79d8fd6b02c512a48
SHA256 6581fca26336f66d8ba898ec1253b237db30e7cd1a25fc788290d7ace96fa6e1
SHA512 e890346915c0891a9f49640f232f6633e25655b969911a6697adfea709cec59bb925678e0b97424936c59d523c3ee9e2dc23f115e20c45ca3ed51ae691d0d7f0

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\he.pak

MD5 c6937badd93ff4ae6f6a2c9e31f678d5
SHA1 b3175d7bebe340ab08e0d8e85d550a076b073c55
SHA256 3cd4440501bc67d0b2e33e1346ba133fb9a09a8762f2334732f8cc349cd840b7
SHA512 db232d7da04b4a854fd399fa04779469ec6fd0a752c4da7b2eed6d1aeaca4a096130fe326c91d777131d1a8ba32637d884e518f1522e9658d233a35e5eef9397

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\gu.pak

MD5 9e189d21ad5843b69c352466c94cdc4c
SHA1 99af98cc510abe726b54f28488f647ea6f7d4c91
SHA256 9c210e3143f99df59bebea6bdb6e30959f8520d59a20fffd437f7029840bb3a9
SHA512 c3007f45ec20c3c3e763f20be1a5557f548a28757cb032617c20fe7d44b7524368b75b8182de243048aa56b939b2a790b5b85cf359b009c4c20c41089e8992e8

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\fr.pak

MD5 3a5bb07820cf46c0f4a81a25724fe870
SHA1 dbc296c1fc516c60d453253ee341ca4d31554230
SHA256 b62c51b85545b3f5d70ac9c684a111689044636eafaeb196f5d52760e0f96f91
SHA512 0222f7a8bf3a6f77fcb9ab7eb0d03509d15bb8634d556547ed55141d550af241a525cc99eb13957744fe2e6d4732b9dbe4d078cb3555b16af6c13e20b9f4e8a1

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\fil.pak

MD5 d7df2ea381f37d6c92e4f18290c6ffe0
SHA1 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4
SHA256 db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a
SHA512 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\hi.pak

MD5 bc777a1010c846906d05d75d82f5dea9
SHA1 73bbeeda37164845ca3f4f2827165b4023f8a194
SHA256 ccf7a557d0f8353ff3d656d4c2a4fca2d462ed2cc3d18c599d98f4d57b23c615
SHA512 e6a01b80adfa31fa93d48fc4f1ba9222d21b8ed7734e664e4f274843b46d826ec8863483c0e8647e39ad85988dfe0a2848d32a26ce1fdd8a0eb85e4fe64be292

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\id.pak

MD5 366d1b2c3759d6ff9c588f53ec9a7c5b
SHA1 e9d5c6e8311c6f7b7c4ad997db0cec5c11cfd754
SHA256 0853a5543923b7a8db5989ebb8ebe8f9fb6271bfa59b94f5843f97de4401e2d8
SHA512 879e72625fd112cec85a6489c590d7e89c65753d2beee259f7393e7377729d40bbb8cd0a2a9fcfde93d14c2cc9a97879312e60ab26035970a632e36d2f8d9e53

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\hu.pak

MD5 2aa0a175df21583a68176742400c6508
SHA1 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a
SHA256 b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72
SHA512 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\hr.pak

MD5 cbca0ad35cfa5c4b852cc8f556706b0b
SHA1 608d2e11a40e5e15a2840e248a249d1562ba9846
SHA256 6ea4b1a28cf567cca73ccdb7eec631fffba3b49acc41e3c88b448514578d80da
SHA512 5b6f01c10d613f278d507d43fb0c708b32fd486d9b5a5f31a9837d0b1025da6ff85772b8f39e192cd8625d363be570565fd4eaf0f8d11c17ad6cbd956893022b

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ja.pak

MD5 e9133185d2339d0a2f68c4c739eb3615
SHA1 cfa6db85ec99bb38b734254b7d4a83d12ee5cd00
SHA256 ba2acb635671a48ed0bf8cdc6e0a0318cfb33eb74b4171c6b483b95f2a167bc5
SHA512 e89c886a601943d2089bad27ce9458f95929fd39fd2f88da0545f71e9d18a678eafc303630d0f94ab3af7c77ad19fabdb2616a2d004151232bc6ce1ae8e4c46e

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\it.pak

MD5 8cde7372fc5095e581bf64fb77e04d61
SHA1 0d30e0ae2c401a06ffb4056bab44d2b5d3970492
SHA256 d011fd39c3cbab740a7944a60a8dd48d6f76c563ea473cfd1f569c5e6fc9fa4e
SHA512 83778880ad95b39b5746d512aa116b05928f580f0c5e75b45cddcb80addb24cf079f73f65771e1d75ca18925ea6fdb86283aa060af2cd1308dee53ee728f76e8

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\lt.pak

MD5 64b08ffc40a605fe74ecc24c3024ee3b
SHA1 516296e8a3114ddbf77601a11faf4326a47975ab
SHA256 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e
SHA512 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ko.pak

MD5 54ace51d8b687e36a66a2bfde258a550
SHA1 1b2fe7c62e3f2c7deede2034e44980e02afa3b4d
SHA256 8d131066e2fa004e11f9128162bfc354d3254381059d6c852bf88a55859ae3e8
SHA512 50b825a88d646a32a4d620bcdf5ce490c8dfbea628c5256a6918dc647c42385f955396ec5d3b32cfdb50153897cf303cd517bc9f62663b14def2dae42229f640

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\kn.pak

MD5 fccd5d8ad5e1c774771b19dda55d9b9a
SHA1 fabbaf469e4aec44342a7e6f74b837cde2203b71
SHA256 47c77fdf73267865a025a54027865a8d67e26943264a43c6e794ccbd6eec549b
SHA512 c9dc6cf0ff5a4094cc07ce4881319778a076b44651b16a220940d7a587ffaa92b6b80f7264605a3c8e6dd780e9c3d8e4d403d01cd8f94e0122ac19cd4d636aac

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ml.pak

MD5 038b9eb34737bf472fde68b91a40f122
SHA1 64771e91d4fdac0b909c6f446cc2f310be7d1320
SHA256 27b7947e36a521403de094cc563d5eced1e46f98e4d6b872fd424352f798e84d
SHA512 3c96b42ab838f2ad5434e719f5906427a5fb327967d04c8498f3af4e913de833ac9cce6545fcfe0de2dc920cdf54c8b31c1d1527f609f90bcf9728d7bdbaac7d

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\lv.pak

MD5 4468d6a6114d5a7ea3c1173ae9a8250d
SHA1 ef664a6a140fb7a244bce44ff8c73250856d8061
SHA256 0ff66161377be2fb8b2b456a64dd910d8375a2b9f1f6f22333540a77111903d6
SHA512 db4179b53cd44f297f5455a167ceccdd2a384c5296311346fa53f15ef5acab76cd166df13dbdf22b0c85a66455f22218e88c02fda2c5e2f863b9f4e7ea6e9a56

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ro.pak

MD5 d8b831a4896af7c78c534f1e8676ae37
SHA1 175da19445b975b24a1e7bc8ffafa93d456ed10c
SHA256 3a58f2275ea6a2baa68924b1dab6b0f06abf8b6657a878dea94b0060a95e38f0
SHA512 e7e75dc7f92eb28759b567ec395f2a951c0e71284c75b9e2c4efd92209dda5767d51d51cdf591d04baddcfe88fbc2c8e6851a904d631b69bd801b9568767d948

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\pt-PT.pak

MD5 e032c0d39df2b7bfc71ece3bfe694039
SHA1 6664f303bae983a1bffcba22e9df712bb3cb59d6
SHA256 60a5a7f03d4d54397ca04be0c89d1f67a496b72807c0bd660c076bc945b40339
SHA512 3f12ed39848ad76411d4d84b2ccef59e2346d40c8e7ddbf6e333a2323df737d864126777fb54a15e90283ced2e7f04a7dda561fa2ebe13b30e082988b13e1406

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\pt-BR.pak

MD5 3701247a5ac607053278aea185ee6616
SHA1 8cb40ddd4865347677f8d327792c6edb69012f76
SHA256 7f41c3a58d08d98f21232e7c85839c9dec0053b447bb4dae867d2faadb278d45
SHA512 637070ebc4411fb92bef5ff75eff46602db8ed59021f37f1a0d8201093f047419c558ec1af49c4dbbb4f58e7169e2f2cf04af7e1d11a57d39ab1cf036cb8497c

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\pl.pak

MD5 fbc79131a645b3853b4fa97c2b589a07
SHA1 91c6d4386384efa9074956b9e811a0aac385aa4e
SHA256 0948238576efb502327af4040c1d9eb1346fbf1bdcee35cd46746b170a7ea6a7
SHA512 0559d787bb7e4fa32a70c19cf0d1b2962d3869363904c13f345ef733f1193c73a13bad9600d7a5ffacf60b92cd97c27e27f7c4b7e143d0925fb358498c92f8cf

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\nl.pak

MD5 285f965bdfd40491c0669f41a1c9e2f5
SHA1 b5c17191ab4d152c7793b6dec0a2e8f1fc298a89
SHA256 b20178135b9f21feef0315fb2f2bc574c2876385e607a539ff0ce6ae7faf707b
SHA512 03de0c35bc75fb96cc5871b5d06a49d99b92864541a3a03816c1245bef567401b260ed94b99818f81273395b1ec60a9f6cae22084ef34e01a95cc41da4fbd1b7

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\nb.pak

MD5 55d5ad4eacb12824cfcd89470664c856
SHA1 f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673
SHA256 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261
SHA512 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ms.pak

MD5 aee105366a1870b9d10f0f897e9295db
SHA1 eee9d789a8eeafe593ce77a7c554f92a26a2296f
SHA256 c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939
SHA512 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\mr.pak

MD5 5657d67f6d21b507aab24ff62b0d4701
SHA1 b685a327c525b7e42eece306984e6d88dd803a29
SHA256 671c3cb2a805a63a275ad608d37d0577c6a2813dd67fb6c2b70f8232323aac04
SHA512 637c60834edc6f31c80692274af05e3f78466cd5ddb2fd7c79315b0f54939f41f25c3b30c86fd10751d032def1f99cb853c3186128a76a3a82a6989eaf14a835

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\sk.pak

MD5 07498676ad49df5cb1a14d91e2fc2353
SHA1 da344ebcc2ed566b45668c8ff5b950cb921af71f
SHA256 b7ba1d08ac8498ea6a37186a51b30d6d0db17136ac734982af4dab97f4a6cd9a
SHA512 548dd27e98700681941ac13e6cf90a70c66520f70df51c75ecfbb32391805ee536a34f3e90400c1cfb34b750c9415378e1a75233db614c94a057da64d3369d91

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ru.pak

MD5 e582616cb61afb76688aa7669936bbff
SHA1 cd2e894a59238ce90be527156243546b4a3fc53e
SHA256 e4edec80c9e29357bcf31eda5d8b046c6c9fbc6434a0b5594b6a906d5f1407d1
SHA512 a5346390b6ec966d75839fb84e8d7284db55065b1a032ecd869a06555cdf116caaad73f9b059c92c17d5a5fb310a41c5f3b2461eee531b231adacb1b3d3d6cec

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\sw.pak

MD5 67a443a5c2eaad32625edb5f8deb7852
SHA1 a6137841e8e7736c5ede1d0dc0ce3a44dc41013f
SHA256 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd
SHA512 e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\sv.pak

MD5 251682c6f4238bef8ab5471870a5454b
SHA1 2bf36466446abe39d487c61898d335901bbb09b0
SHA256 e1cbce672de3ba3a01272b9b763dcfd8229fba0883df2b4117ac6b0f9916c073
SHA512 de1e507b24e71f60c298253aacff49724b6a8c6336455d8dfcc6e939e53ed5e7a95dc5574e66a7fae38b6666446ac9cd83e5ad1b794b4ffa38d06052663c1f45

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\sr.pak

MD5 c68c235d8e696c098cf66191e648196b
SHA1 5c967fbbd90403a755d6c4b2411e359884dc8317
SHA256 ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b
SHA512 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\sl.pak

MD5 83ef046784c1b113e827cb744bcb8656
SHA1 f6f3e0e975e7d3ca8e06f1988cb8a1c182eea734
SHA256 ab2079923e2baa27c220df2f1559af8edc785f8e9fe2e12c8ecb0e0e7e7d0a09
SHA512 f62f7e1eee91f5d42d591abbc7cb0fdf639834090824e7ab7f4dffb1e6c108c540074fdbadd5e153caecdb37b722ed9f737f13cbab387685013781949b9ee321

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\vi.pak

MD5 ebb5db1dbb64895b1a25120d5ac9b5e4
SHA1 810fa53a97fe42994f8a68698d582651d69cfd51
SHA256 ef3ddadb90dc73b73e25e9608626ce68d6778445812b8bd2f6c81e1f1e4bff16
SHA512 fba594183c7b672204330ca698f1e195026fc51d4e05db2c49e58a896c3b5e11e23286be0d6ffae3ec321e6c08322544df3c876dbce3c2e69a951985a84a2c91

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\zh-CN.pak

MD5 0d5b72258b56c584113a022e16777387
SHA1 77f91e8c36befb818229ef8fef068e97f60ecf0f
SHA256 539f0bfdb461bf777aab14a4baaf47c8c32ae1856cc4ac93b23ce73dc50ba02a
SHA512 632c4ca60529c717fb2ba700d8f12017d097e67045639e2c30144a0372cecf595a2727d3505f019b91e8a15fe3259f2727bfb24e970dea8080a11e1a3dfa2068

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ur.pak

MD5 1ca4fa13bd0089d65da7cd2376feb4c6
SHA1 b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c
SHA256 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f
SHA512 d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\uk.pak

MD5 88d51b6df9f3cec54eda732dcf2c63fa
SHA1 a826200f112d5c69f1aa5837bc40d4c423515029
SHA256 e914b8956745a14d9d64f12698805e0910f9d3581dd380468949b54576fad2a6
SHA512 3ed8f2090497597d4e2583901993331de19f9dc787ea886dabdaf22a79aefa2956e63501c9a50be34fabf7287b6751f50d9a5105e4f16a579961ebc0d6eff14e

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\tr.pak

MD5 1525dd38ca529c56f9d3e08293385690
SHA1 e0dfb9d60a3469d701dcb9ead8f8cd2cfe6fd604
SHA256 5a7e1c8b572f67ed40e9d5107ddd6f8791b03138bb9933cfb26f1678b2c4a9cd
SHA512 195ffc165e45a51c12b03252759c5e1ff684e57b5994aeca608d40ef6799f29812add6fb2479e8e8c1655799f4dbf29e47272324b857b9161ad43a1b271eddfd

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\th.pak

MD5 f9ff2275865f2cdebb9b0d19d4fb57a1
SHA1 e83c6c8e0005bf34771af3f1c0c9d8ebaa822f95
SHA256 3d4556bc0f26b89d090a8a779a8fda8f6fbe157a23181cbfb1d6c67a6212b864
SHA512 96f596bb564e62bbafe62774fba1cefa644feff47a331e54cd7dc9b85b29f2a2e8e785e85d90cccc27f9a1c735b0a8c6dbe01fa244601f1359194f64a49ee6d0

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\te.pak

MD5 41e49a1ef6850d90e0cbdc720c45ea5a
SHA1 a2fbe1585a1b653ac6acccaf6184ae2de3e007af
SHA256 aa2b9d1ad8591e91872c3fee62b111b74d6e7e890a47d0bcc388947ae5245290
SHA512 687ff66471248104f8780f142e1810ccc7275857e4bd188447d01cecbe74ebac4070ab135d4a7111bc5f4ae17247dd865f21a2d3e73031534dac1f5117bc4570

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\ta.pak

MD5 292f763cb8eb588659eb7cc25cf57d2e
SHA1 dc42622f272843cb3afce9968146b85a98485237
SHA256 d5bfe0699342b8bba6c4c73c115b1c7f3f903c4ed95d77461c34369f2f60d5ee
SHA512 100ec32914f0d140baa414180cb2ba34e95f75ab73a0c036d6d5ebb64cc69b2b7c62b9e3f9de192bab8ddac3b387b953bed2ca1fd3bf0aab0198b9c1f2911151

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\locales\zh-TW.pak

MD5 c651e23053764c38a4e8a7f34317f19b
SHA1 93cd303c91024748d283c3779f11402cfb4f5c0b
SHA256 9689ba3f2dc7248a3ab5db3b97d473e29464afbc7f2d1c7035f7e8e9a1c05aa4
SHA512 1b7951fc4dcc2c08811dd3449fe2ce1302286b3eca21675adefa25a806ae7dcf91c565a111032fc5fda4dd9f5231875f0c77cdfd22ecc7d435450080d853a503

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsp2DF6.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\11fe04b3-6089-40b5-b2c9-0785face5c1a.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

C:\Users\Admin\AppData\Local\Temp\9c37089c-fab4-433c-abe4-8650e7d53e50.tmp.node

MD5 aa8da32ebca307d4f99cf2da290afd22
SHA1 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256 ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512 d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

memory/4816-568-0x000002B1F76C0000-0x000002B1F76E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjzew3or.3qu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4816-573-0x000002B1F7840000-0x000002B1F7890000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f48896adf9a23882050cdff97f610a7f
SHA1 4c5a610df62834d43f470cae7e851946530e3086
SHA256 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA512 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ab76976681c1ece3288b934c85909d62
SHA1 26fbc0f3c17a12305d6e3bea1ecde8f1ced51503
SHA256 0b0a868f1be5914bc47b2d64d97b29b34e1127e2e42b03ee4d4588ff7c954603
SHA512 8ed0283beb3b33219264e919bdebaa2663a9a42ba201344746ce024b16b84484e714a273c5c83f3419c07d7a94f2b931894f1bc022950e45e884e07959311ef1

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\xx_lol\Browser.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

memory/1732-636-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-638-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-637-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-642-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-648-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-647-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-646-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-645-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-644-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

memory/1732-643-0x000002C1F63F0000-0x000002C1F63F1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:32

Platform

win11-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4640 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 684 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 2976 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe

"C:\Users\Admin\AppData\Local\Temp\Vanta\vanta_loader.exe"

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1800,i,689838966301595544,4515285001797431330,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2016 --field-trial-handle=1800,i,689838966301595544,4515285001797431330,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,31,170,158,100,154,202,130,65,188,136,61,190,37,13,210,245,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,252,139,30,123,228,192,187,140,239,67,180,24,134,251,227,238,99,9,218,151,231,95,16,69,142,240,97,189,145,105,15,83,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,189,134,149,50,87,214,180,219,87,15,83,156,29,147,81,187,26,12,174,190,35,98,112,152,64,233,23,163,65,42,88,19,48,0,0,0,168,246,28,18,217,105,206,128,6,155,190,201,196,81,27,243,156,235,62,23,106,193,28,147,8,19,227,161,240,105,31,159,38,130,223,115,188,232,168,168,67,102,247,148,76,44,64,177,64,0,0,0,83,41,67,110,118,184,143,249,194,236,254,165,180,252,118,211,130,156,44,31,53,91,221,36,61,30,17,95,43,144,36,172,238,185,117,70,233,8,162,233,220,199,248,195,235,238,113,199,35,186,175,27,249,75,200,110,112,249,194,212,193,88,198,169), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,31,170,158,100,154,202,130,65,188,136,61,190,37,13,210,245,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,252,139,30,123,228,192,187,140,239,67,180,24,134,251,227,238,99,9,218,151,231,95,16,69,142,240,97,189,145,105,15,83,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,189,134,149,50,87,214,180,219,87,15,83,156,29,147,81,187,26,12,174,190,35,98,112,152,64,233,23,163,65,42,88,19,48,0,0,0,168,246,28,18,217,105,206,128,6,155,190,201,196,81,27,243,156,235,62,23,106,193,28,147,8,19,227,161,240,105,31,159,38,130,223,115,188,232,168,168,67,102,247,148,76,44,64,177,64,0,0,0,83,41,67,110,118,184,143,249,194,236,254,165,180,252,118,211,130,156,44,31,53,91,221,36,61,30,17,95,43,144,36,172,238,185,117,70,233,8,162,233,220,199,248,195,235,238,113,199,35,186,175,27,249,75,200,110,112,249,194,212,193,88,198,169), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,31,170,158,100,154,202,130,65,188,136,61,190,37,13,210,245,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,59,197,178,142,198,54,44,85,94,240,162,94,206,220,140,206,83,152,49,80,56,235,190,153,126,108,92,97,213,225,99,46,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,224,21,7,227,16,164,47,41,37,119,73,199,253,249,157,197,67,6,227,48,110,156,151,253,243,181,159,237,5,111,67,48,0,0,0,86,89,170,152,202,99,182,189,248,112,174,78,23,219,205,173,25,250,152,161,85,172,183,246,29,128,204,198,13,66,192,204,255,8,240,75,24,118,174,164,206,84,92,155,204,210,112,50,64,0,0,0,52,201,148,175,203,105,182,242,59,44,32,101,131,56,204,85,225,240,35,148,94,155,37,94,200,18,91,173,197,161,186,98,112,245,208,35,54,180,172,145,153,169,31,25,37,191,157,219,217,244,203,107,95,41,202,201,203,133,154,118,10,92,226,226), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,31,170,158,100,154,202,130,65,188,136,61,190,37,13,210,245,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,59,197,178,142,198,54,44,85,94,240,162,94,206,220,140,206,83,152,49,80,56,235,190,153,126,108,92,97,213,225,99,46,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,224,21,7,227,16,164,47,41,37,119,73,199,253,249,157,197,67,6,227,48,110,156,151,253,243,181,159,237,5,111,67,48,0,0,0,86,89,170,152,202,99,182,189,248,112,174,78,23,219,205,173,25,250,152,161,85,172,183,246,29,128,204,198,13,66,192,204,255,8,240,75,24,118,174,164,206,84,92,155,204,210,112,50,64,0,0,0,52,201,148,175,203,105,182,242,59,44,32,101,131,56,204,85,225,240,35,148,94,155,37,94,200,18,91,173,197,161,186,98,112,245,208,35,54,180,172,145,153,169,31,25,37,191,157,219,217,244,203,107,95,41,202,201,203,133,154,118,10,92,226,226), $null, 'CurrentUser')

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1336 --field-trial-handle=1800,i,689838966301595544,4515285001797431330,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
FR 51.38.43.18:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
FR 51.38.43.18:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 51.38.43.18:443 api.gofile.io tcp
US 136.175.10.233:443 store3.gofile.io tcp
FR 51.38.43.18:443 api.gofile.io tcp
US 162.159.135.232:443 discord.com tcp
US 136.175.10.233:443 store3.gofile.io tcp
FR 51.38.43.18:443 api.gofile.io tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\chrome_100_percent.pak

MD5 8626e1d68e87f86c5b4dabdf66591913
SHA1 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c
SHA256 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59
SHA512 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\chrome_200_percent.pak

MD5 48515d600258d60019c6b9c6421f79f6
SHA1 0ef0b44641d38327a360aa6954b3b6e5aab2af16
SHA256 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce
SHA512 b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\libGLESv2.dll

MD5 ad3edee84b49923e4847119eb4d6c6b7
SHA1 8649be26571d3fa645c416f36c1bdc0b27f1d478
SHA256 51c9f2e9aecf5745ad343185cd39a05f581c2062d644bedcb25a5ef4b9624591
SHA512 e504996b8371f294fa8a5173da48256e9070156249bdd7431e3adeacbd99f7cf39dc3c0876c4aa11da8d1932147cfaff91764c517a70d69d8c8e4876abbeea56

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\libEGL.dll

MD5 13318cb90b385fb918ba6e07f1fd8d83
SHA1 899985a7608268893c7fc1c9810568bdd8294b81
SHA256 53a2d4c5ae582f15aad481e75e516ddabce9b756e553bed33720a66d2c5f736d
SHA512 b5418f6bd2ab883dc1ef4d9f2c0a976296d06fe1309c6db7331a3470f198505561cabd41ecd05e675b90076196b4f82e8a9ef0574cfe96869bfb24d07cc82450

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\resources.pak

MD5 9d000106fc3192e4c3d47031cf450131
SHA1 814c455baba7dd4d9354ed061522fc4caad3e7b4
SHA256 d0e884b68e2b79162e88b5d4a593c3bb4a7c60c5c62f4e3cc69a346727e6f7eb
SHA512 b19e926fc5223375685854a0b26a04efdcd8128e44b3b56f3ed2cccb860b9069ff6e49dbae053a4287f12de6796643021a316baaf3f8505f5574171d8c6cf885

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\LICENSES.chromium.html

MD5 c3528648bedbde1223a2faab1a3f9af3
SHA1 934d3c8f184258338ff380964ed89053ce69ac5b
SHA256 57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2
SHA512 3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\icudtl.dat

MD5 2c367970ac87a9275eeec5629bb6fc3d
SHA1 399324d1aeee5e74747a6873501a1ee5aac005ee
SHA256 17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de
SHA512 f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\ffmpeg.dll

MD5 6418dfc9980cc0416a327961dacd41df
SHA1 2e32ab8ea0059606dfe66e978c271e0852406215
SHA256 04bd8ee92194f076686eab2a94a119629b6d61e554782a0d4520359f1ceb24a9
SHA512 d3e98fe91bfa4f7b9363d8fbb6997f20f76a638bcb5345d9280f919a4bf13dfa02d190534d1965eccd95f2300f6b4d29b6eaec5d544e5428377d1e26daf501a1

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\v8_context_snapshot.bin

MD5 4d89b46abac43cfaec5c80ab2f735e15
SHA1 8985d96af0017b78c9b3791ea2ead72f3e32c844
SHA256 4f69d3512c141d88a6137b08a1da04ab80d8e685bd5e9378865d6de828f0cb5a
SHA512 477a676586b066813f1d469be6891b2cbd9575528d4279fd7da34f359057ee6025f82ce31c57a9e90658d52fd2e94779bd5a8a9c3d8f2283874450f4285da3bb

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\snapshot_blob.bin

MD5 ac47bd259a01da6c51f750ea210b52bf
SHA1 d6682fc4a07ff2313bc8428137f533e8947692a3
SHA256 e87fb952df8e36a5461f328c37afd701f20c427810824e9541709cccb87c22b3
SHA512 9bbd6e39597181da2cdaa0e3b4569e0a7a67b44f37be20b0bbe7cb6323501835427ce84044203c66c98b98fcf4e8e356e983be0e085f3020df93022d9c7e0135

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ar.pak

MD5 6352905a290802a05dd3a64d22216f6e
SHA1 11adb10f0678079c8f73779bb039e12329bcaac7
SHA256 00861d9fa5763cc5c3152edb4a5c956c6bc4f56311ce2ed9e6b496181624ab5e
SHA512 0b0dbad8201ebd1a7dc2cfb11325c509efbcced3ac3d337915cf2972defe2304ea9f8af91d9362cb51333459900a80b714e7302a6483ad58fd64404f8410b6ea

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\am.pak

MD5 2c933f084d960f8094e24bee73fa826c
SHA1 91dfddc2cff764275872149d454a8397a1a20ab1
SHA256 fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450
SHA512 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\af.pak

MD5 464e5eeaba5eff8bc93995ba2cb2d73f
SHA1 3b216e0c5246c874ad0ad7d3e1636384dad2255d
SHA256 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1
SHA512 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\vulkan-1.dll

MD5 7fdd1bec727e2b389c8ca84c407446c6
SHA1 a91343d9f52883325f52f28c5dd142f4ae07b3ef
SHA256 d04035c59f49444bd3cafd71296afd70bad5daa6e28bf5d7de3ffd0e36a85938
SHA512 2fdd95185507be9bcbf6cfe1f05ba47e71203b1dc3ce4cc1553e5fcfb576ab89bf018a8927fc5e6e451b00f56f7abb5f2efd504e1a674b42dbe80deeb13d669a

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\vk_swiftshader.dll

MD5 30d193f1976035cebec2c2d8f071c556
SHA1 97b1d811743f03e888c22d975c9eb77ba92142b9
SHA256 600e158b7d7fb95eb63552da1ae8159a6eb9bb04ff6341d11db2d10bd6c30c8e
SHA512 4eb6ec91fb060f67ea126c9c7dd7f672161d86302db41c7d999f33239a7c18062cc020c06ab9571f8023c846d22bd0fa5c020fb4c710bf6a21472002dccb6226

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\cs.pak

MD5 f36f1b2ff12fb87a578c36f73f5aac83
SHA1 73f61f7b6f191468ff4d9566a0bb6eccf1069cac
SHA256 877a0a3dcb5d393365b2f775faff0d3593dd84b380a27dc72025597061a50ba7
SHA512 c61a38f937dcc90c7dd5b87d9514147b6362d339d9af85bcb3677bb12ae5715d05426f6e67ffd3b441cc41530883a227096b4135b98f2d5c73f51612e0a0e4c9

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\fa.pak

MD5 e861a65f12b38a3def1fe9e933cae275
SHA1 8d083b5902a15a63ef11c7783f12e088d333fcf5
SHA256 f9a8e3b9bbc809f11cc3dc32811940e033bd78a31ec154d28321473f8efa1e4d
SHA512 d1fe91c693c794b4a4d60560800c919977654832e8f6e34fb1ec0ffbf5c411cf35b0a0e22e036dca48a246ab8d6bea0427c5ceb232d460e9c59cf4163d55314c

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\hu.pak

MD5 2aa0a175df21583a68176742400c6508
SHA1 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a
SHA256 b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72
SHA512 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\it.pak

MD5 8cde7372fc5095e581bf64fb77e04d61
SHA1 0d30e0ae2c401a06ffb4056bab44d2b5d3970492
SHA256 d011fd39c3cbab740a7944a60a8dd48d6f76c563ea473cfd1f569c5e6fc9fa4e
SHA512 83778880ad95b39b5746d512aa116b05928f580f0c5e75b45cddcb80addb24cf079f73f65771e1d75ca18925ea6fdb86283aa060af2cd1308dee53ee728f76e8

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\sl.pak

MD5 83ef046784c1b113e827cb744bcb8656
SHA1 f6f3e0e975e7d3ca8e06f1988cb8a1c182eea734
SHA256 ab2079923e2baa27c220df2f1559af8edc785f8e9fe2e12c8ecb0e0e7e7d0a09
SHA512 f62f7e1eee91f5d42d591abbc7cb0fdf639834090824e7ab7f4dffb1e6c108c540074fdbadd5e153caecdb37b722ed9f737f13cbab387685013781949b9ee321

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ta.pak

MD5 292f763cb8eb588659eb7cc25cf57d2e
SHA1 dc42622f272843cb3afce9968146b85a98485237
SHA256 d5bfe0699342b8bba6c4c73c115b1c7f3f903c4ed95d77461c34369f2f60d5ee
SHA512 100ec32914f0d140baa414180cb2ba34e95f75ab73a0c036d6d5ebb64cc69b2b7c62b9e3f9de192bab8ddac3b387b953bed2ca1fd3bf0aab0198b9c1f2911151

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\sw.pak

MD5 67a443a5c2eaad32625edb5f8deb7852
SHA1 a6137841e8e7736c5ede1d0dc0ce3a44dc41013f
SHA256 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd
SHA512 e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\sv.pak

MD5 251682c6f4238bef8ab5471870a5454b
SHA1 2bf36466446abe39d487c61898d335901bbb09b0
SHA256 e1cbce672de3ba3a01272b9b763dcfd8229fba0883df2b4117ac6b0f9916c073
SHA512 de1e507b24e71f60c298253aacff49724b6a8c6336455d8dfcc6e939e53ed5e7a95dc5574e66a7fae38b6666446ac9cd83e5ad1b794b4ffa38d06052663c1f45

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\sr.pak

MD5 c68c235d8e696c098cf66191e648196b
SHA1 5c967fbbd90403a755d6c4b2411e359884dc8317
SHA256 ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b
SHA512 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\sk.pak

MD5 07498676ad49df5cb1a14d91e2fc2353
SHA1 da344ebcc2ed566b45668c8ff5b950cb921af71f
SHA256 b7ba1d08ac8498ea6a37186a51b30d6d0db17136ac734982af4dab97f4a6cd9a
SHA512 548dd27e98700681941ac13e6cf90a70c66520f70df51c75ecfbb32391805ee536a34f3e90400c1cfb34b750c9415378e1a75233db614c94a057da64d3369d91

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ru.pak

MD5 e582616cb61afb76688aa7669936bbff
SHA1 cd2e894a59238ce90be527156243546b4a3fc53e
SHA256 e4edec80c9e29357bcf31eda5d8b046c6c9fbc6434a0b5594b6a906d5f1407d1
SHA512 a5346390b6ec966d75839fb84e8d7284db55065b1a032ecd869a06555cdf116caaad73f9b059c92c17d5a5fb310a41c5f3b2461eee531b231adacb1b3d3d6cec

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ro.pak

MD5 d8b831a4896af7c78c534f1e8676ae37
SHA1 175da19445b975b24a1e7bc8ffafa93d456ed10c
SHA256 3a58f2275ea6a2baa68924b1dab6b0f06abf8b6657a878dea94b0060a95e38f0
SHA512 e7e75dc7f92eb28759b567ec395f2a951c0e71284c75b9e2c4efd92209dda5767d51d51cdf591d04baddcfe88fbc2c8e6851a904d631b69bd801b9568767d948

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\pt-PT.pak

MD5 e032c0d39df2b7bfc71ece3bfe694039
SHA1 6664f303bae983a1bffcba22e9df712bb3cb59d6
SHA256 60a5a7f03d4d54397ca04be0c89d1f67a496b72807c0bd660c076bc945b40339
SHA512 3f12ed39848ad76411d4d84b2ccef59e2346d40c8e7ddbf6e333a2323df737d864126777fb54a15e90283ced2e7f04a7dda561fa2ebe13b30e082988b13e1406

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\pt-BR.pak

MD5 3701247a5ac607053278aea185ee6616
SHA1 8cb40ddd4865347677f8d327792c6edb69012f76
SHA256 7f41c3a58d08d98f21232e7c85839c9dec0053b447bb4dae867d2faadb278d45
SHA512 637070ebc4411fb92bef5ff75eff46602db8ed59021f37f1a0d8201093f047419c558ec1af49c4dbbb4f58e7169e2f2cf04af7e1d11a57d39ab1cf036cb8497c

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\pl.pak

MD5 fbc79131a645b3853b4fa97c2b589a07
SHA1 91c6d4386384efa9074956b9e811a0aac385aa4e
SHA256 0948238576efb502327af4040c1d9eb1346fbf1bdcee35cd46746b170a7ea6a7
SHA512 0559d787bb7e4fa32a70c19cf0d1b2962d3869363904c13f345ef733f1193c73a13bad9600d7a5ffacf60b92cd97c27e27f7c4b7e143d0925fb358498c92f8cf

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\nl.pak

MD5 285f965bdfd40491c0669f41a1c9e2f5
SHA1 b5c17191ab4d152c7793b6dec0a2e8f1fc298a89
SHA256 b20178135b9f21feef0315fb2f2bc574c2876385e607a539ff0ce6ae7faf707b
SHA512 03de0c35bc75fb96cc5871b5d06a49d99b92864541a3a03816c1245bef567401b260ed94b99818f81273395b1ec60a9f6cae22084ef34e01a95cc41da4fbd1b7

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\nb.pak

MD5 55d5ad4eacb12824cfcd89470664c856
SHA1 f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673
SHA256 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261
SHA512 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ms.pak

MD5 aee105366a1870b9d10f0f897e9295db
SHA1 eee9d789a8eeafe593ce77a7c554f92a26a2296f
SHA256 c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939
SHA512 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\mr.pak

MD5 5657d67f6d21b507aab24ff62b0d4701
SHA1 b685a327c525b7e42eece306984e6d88dd803a29
SHA256 671c3cb2a805a63a275ad608d37d0577c6a2813dd67fb6c2b70f8232323aac04
SHA512 637c60834edc6f31c80692274af05e3f78466cd5ddb2fd7c79315b0f54939f41f25c3b30c86fd10751d032def1f99cb853c3186128a76a3a82a6989eaf14a835

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ml.pak

MD5 038b9eb34737bf472fde68b91a40f122
SHA1 64771e91d4fdac0b909c6f446cc2f310be7d1320
SHA256 27b7947e36a521403de094cc563d5eced1e46f98e4d6b872fd424352f798e84d
SHA512 3c96b42ab838f2ad5434e719f5906427a5fb327967d04c8498f3af4e913de833ac9cce6545fcfe0de2dc920cdf54c8b31c1d1527f609f90bcf9728d7bdbaac7d

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\lv.pak

MD5 4468d6a6114d5a7ea3c1173ae9a8250d
SHA1 ef664a6a140fb7a244bce44ff8c73250856d8061
SHA256 0ff66161377be2fb8b2b456a64dd910d8375a2b9f1f6f22333540a77111903d6
SHA512 db4179b53cd44f297f5455a167ceccdd2a384c5296311346fa53f15ef5acab76cd166df13dbdf22b0c85a66455f22218e88c02fda2c5e2f863b9f4e7ea6e9a56

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\lt.pak

MD5 64b08ffc40a605fe74ecc24c3024ee3b
SHA1 516296e8a3114ddbf77601a11faf4326a47975ab
SHA256 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e
SHA512 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ko.pak

MD5 54ace51d8b687e36a66a2bfde258a550
SHA1 1b2fe7c62e3f2c7deede2034e44980e02afa3b4d
SHA256 8d131066e2fa004e11f9128162bfc354d3254381059d6c852bf88a55859ae3e8
SHA512 50b825a88d646a32a4d620bcdf5ce490c8dfbea628c5256a6918dc647c42385f955396ec5d3b32cfdb50153897cf303cd517bc9f62663b14def2dae42229f640

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\kn.pak

MD5 fccd5d8ad5e1c774771b19dda55d9b9a
SHA1 fabbaf469e4aec44342a7e6f74b837cde2203b71
SHA256 47c77fdf73267865a025a54027865a8d67e26943264a43c6e794ccbd6eec549b
SHA512 c9dc6cf0ff5a4094cc07ce4881319778a076b44651b16a220940d7a587ffaa92b6b80f7264605a3c8e6dd780e9c3d8e4d403d01cd8f94e0122ac19cd4d636aac

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ja.pak

MD5 e9133185d2339d0a2f68c4c739eb3615
SHA1 cfa6db85ec99bb38b734254b7d4a83d12ee5cd00
SHA256 ba2acb635671a48ed0bf8cdc6e0a0318cfb33eb74b4171c6b483b95f2a167bc5
SHA512 e89c886a601943d2089bad27ce9458f95929fd39fd2f88da0545f71e9d18a678eafc303630d0f94ab3af7c77ad19fabdb2616a2d004151232bc6ce1ae8e4c46e

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\id.pak

MD5 366d1b2c3759d6ff9c588f53ec9a7c5b
SHA1 e9d5c6e8311c6f7b7c4ad997db0cec5c11cfd754
SHA256 0853a5543923b7a8db5989ebb8ebe8f9fb6271bfa59b94f5843f97de4401e2d8
SHA512 879e72625fd112cec85a6489c590d7e89c65753d2beee259f7393e7377729d40bbb8cd0a2a9fcfde93d14c2cc9a97879312e60ab26035970a632e36d2f8d9e53

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\hr.pak

MD5 cbca0ad35cfa5c4b852cc8f556706b0b
SHA1 608d2e11a40e5e15a2840e248a249d1562ba9846
SHA256 6ea4b1a28cf567cca73ccdb7eec631fffba3b49acc41e3c88b448514578d80da
SHA512 5b6f01c10d613f278d507d43fb0c708b32fd486d9b5a5f31a9837d0b1025da6ff85772b8f39e192cd8625d363be570565fd4eaf0f8d11c17ad6cbd956893022b

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\hi.pak

MD5 bc777a1010c846906d05d75d82f5dea9
SHA1 73bbeeda37164845ca3f4f2827165b4023f8a194
SHA256 ccf7a557d0f8353ff3d656d4c2a4fca2d462ed2cc3d18c599d98f4d57b23c615
SHA512 e6a01b80adfa31fa93d48fc4f1ba9222d21b8ed7734e664e4f274843b46d826ec8863483c0e8647e39ad85988dfe0a2848d32a26ce1fdd8a0eb85e4fe64be292

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\he.pak

MD5 c6937badd93ff4ae6f6a2c9e31f678d5
SHA1 b3175d7bebe340ab08e0d8e85d550a076b073c55
SHA256 3cd4440501bc67d0b2e33e1346ba133fb9a09a8762f2334732f8cc349cd840b7
SHA512 db232d7da04b4a854fd399fa04779469ec6fd0a752c4da7b2eed6d1aeaca4a096130fe326c91d777131d1a8ba32637d884e518f1522e9658d233a35e5eef9397

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\gu.pak

MD5 9e189d21ad5843b69c352466c94cdc4c
SHA1 99af98cc510abe726b54f28488f647ea6f7d4c91
SHA256 9c210e3143f99df59bebea6bdb6e30959f8520d59a20fffd437f7029840bb3a9
SHA512 c3007f45ec20c3c3e763f20be1a5557f548a28757cb032617c20fe7d44b7524368b75b8182de243048aa56b939b2a790b5b85cf359b009c4c20c41089e8992e8

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\fr.pak

MD5 3a5bb07820cf46c0f4a81a25724fe870
SHA1 dbc296c1fc516c60d453253ee341ca4d31554230
SHA256 b62c51b85545b3f5d70ac9c684a111689044636eafaeb196f5d52760e0f96f91
SHA512 0222f7a8bf3a6f77fcb9ab7eb0d03509d15bb8634d556547ed55141d550af241a525cc99eb13957744fe2e6d4732b9dbe4d078cb3555b16af6c13e20b9f4e8a1

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\fil.pak

MD5 d7df2ea381f37d6c92e4f18290c6ffe0
SHA1 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4
SHA256 db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a
SHA512 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\fi.pak

MD5 7243727348009668ded33dd0109118c3
SHA1 aa19e2e340c8328132d12ff79d8fd6b02c512a48
SHA256 6581fca26336f66d8ba898ec1253b237db30e7cd1a25fc788290d7ace96fa6e1
SHA512 e890346915c0891a9f49640f232f6633e25655b969911a6697adfea709cec59bb925678e0b97424936c59d523c3ee9e2dc23f115e20c45ca3ed51ae691d0d7f0

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\et.pak

MD5 8b3cb5e4b8ac769bde84e5c375c1774e
SHA1 53665908d6ec12095abd766911d8abcc84c6da58
SHA256 c351b84558214420495bed6d882d37496483cc66b0e10400ca872e3fc4145b66
SHA512 b0dff640d32e5c277f2d3441abf823e8859f28f215cfc63fde8a968cbc9b9531aa0394e10fa98284d186323e3357ea2265d762dc034be86bb50f5c55630ab4c5

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\es.pak

MD5 e42486833449ea57261d5bbdabb8b4e2
SHA1 09734ed71302c7a3bf5f84dee1dfab7732bc0745
SHA256 d539c88c4493cb1d9eae600611e3119fe129ec95149049f4b62fc3a97d78ca61
SHA512 8ad283323c3f2e7a9d2e33eb86c371be6a9e29d9243e0d74d5936606692367212f81825d5c313a8859ff8de84eb6d23cbfc577ca47185392da803717f29e8b24

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ur.pak

MD5 1ca4fa13bd0089d65da7cd2376feb4c6
SHA1 b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c
SHA256 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f
SHA512 d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\zh-TW.pak

MD5 c651e23053764c38a4e8a7f34317f19b
SHA1 93cd303c91024748d283c3779f11402cfb4f5c0b
SHA256 9689ba3f2dc7248a3ab5db3b97d473e29464afbc7f2d1c7035f7e8e9a1c05aa4
SHA512 1b7951fc4dcc2c08811dd3449fe2ce1302286b3eca21675adefa25a806ae7dcf91c565a111032fc5fda4dd9f5231875f0c77cdfd22ecc7d435450080d853a503

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\zh-CN.pak

MD5 0d5b72258b56c584113a022e16777387
SHA1 77f91e8c36befb818229ef8fef068e97f60ecf0f
SHA256 539f0bfdb461bf777aab14a4baaf47c8c32ae1856cc4ac93b23ce73dc50ba02a
SHA512 632c4ca60529c717fb2ba700d8f12017d097e67045639e2c30144a0372cecf595a2727d3505f019b91e8a15fe3259f2727bfb24e970dea8080a11e1a3dfa2068

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\vi.pak

MD5 ebb5db1dbb64895b1a25120d5ac9b5e4
SHA1 810fa53a97fe42994f8a68698d582651d69cfd51
SHA256 ef3ddadb90dc73b73e25e9608626ce68d6778445812b8bd2f6c81e1f1e4bff16
SHA512 fba594183c7b672204330ca698f1e195026fc51d4e05db2c49e58a896c3b5e11e23286be0d6ffae3ec321e6c08322544df3c876dbce3c2e69a951985a84a2c91

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\uk.pak

MD5 88d51b6df9f3cec54eda732dcf2c63fa
SHA1 a826200f112d5c69f1aa5837bc40d4c423515029
SHA256 e914b8956745a14d9d64f12698805e0910f9d3581dd380468949b54576fad2a6
SHA512 3ed8f2090497597d4e2583901993331de19f9dc787ea886dabdaf22a79aefa2956e63501c9a50be34fabf7287b6751f50d9a5105e4f16a579961ebc0d6eff14e

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\tr.pak

MD5 1525dd38ca529c56f9d3e08293385690
SHA1 e0dfb9d60a3469d701dcb9ead8f8cd2cfe6fd604
SHA256 5a7e1c8b572f67ed40e9d5107ddd6f8791b03138bb9933cfb26f1678b2c4a9cd
SHA512 195ffc165e45a51c12b03252759c5e1ff684e57b5994aeca608d40ef6799f29812add6fb2479e8e8c1655799f4dbf29e47272324b857b9161ad43a1b271eddfd

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\th.pak

MD5 f9ff2275865f2cdebb9b0d19d4fb57a1
SHA1 e83c6c8e0005bf34771af3f1c0c9d8ebaa822f95
SHA256 3d4556bc0f26b89d090a8a779a8fda8f6fbe157a23181cbfb1d6c67a6212b864
SHA512 96f596bb564e62bbafe62774fba1cefa644feff47a331e54cd7dc9b85b29f2a2e8e785e85d90cccc27f9a1c735b0a8c6dbe01fa244601f1359194f64a49ee6d0

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\te.pak

MD5 41e49a1ef6850d90e0cbdc720c45ea5a
SHA1 a2fbe1585a1b653ac6acccaf6184ae2de3e007af
SHA256 aa2b9d1ad8591e91872c3fee62b111b74d6e7e890a47d0bcc388947ae5245290
SHA512 687ff66471248104f8780f142e1810ccc7275857e4bd188447d01cecbe74ebac4070ab135d4a7111bc5f4ae17247dd865f21a2d3e73031534dac1f5117bc4570

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\es-419.pak

MD5 a510ff6703676bacde7e528823878018
SHA1 6551a7dac1c3fcd839b8d7c6ca92470f30a93d0d
SHA256 77114f519743741a488a9b57cdc7190f0507c37dc3b29811704a048172ba6736
SHA512 e9b75bc92eb077db57f906ef544b2339c4eb4f6eddf65d2570c36a00ab4b8a167a53e869d81150a7d097ecbf4ba19625ad4228f133392cc850352fe66fea47e0

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\en-US.pak

MD5 19d18f8181a4201d542c7195b1e9ff81
SHA1 7debd3cf27bbe200c6a90b34adacb7394cb5929c
SHA256 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb
SHA512 af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\en-GB.pak

MD5 e0c79cf2e5b790386e44b125d8e1a5fc
SHA1 1b75baf8035b81d6494f9f36930bbc8c512e1dbf
SHA256 6b0e81b2198e025eae1e2f6d5d3a33ccce034d1f4bc59e4cade1b5f5adb99f1a
SHA512 e4feb64ce7edf416422127280cf87967a5e6b20436a8ed33932b1bade73f0691ac819449d38fa0d8a81b888d6319f0b3167aa16e225999dfd6e7800d2365f2a6

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\el.pak

MD5 e66a75680f21ce281995f37099045714
SHA1 d553e80658ee1eea5b0912db1ecc4e27b0ed4790
SHA256 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f
SHA512 d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\de.pak

MD5 1b928ff4831916bbe39e4b2e08f52267
SHA1 dd8788bb4d386f7d0b8e685a09cc9ca361b7c31e
SHA256 9c335a4e85b4ac58ed386d89d284be053ef288b2706a4cae433d91625ec1b31e
SHA512 95dc4ecd45708277618a913bd07073a7cc61b642ae14fecc91ac0548898771a522a0672ee67399e5f5c8ca3006c37aa878b74af1f41717b9607c00f49e40124a

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\da.pak

MD5 7ff057b530184205100dbea8635a29a7
SHA1 f6e22b2e37e6d7bf0ca9bec220650f01d1a4a091
SHA256 40b32636ffb813574d8a063ce7e74860ab06b93a9b16dd56b5b6aa602b5e6943
SHA512 09b7b6c280d98f21beeddf1b9e5834462f29d299a64276c198ef3eab466b352695172d2ff118664c34e51a2b73e21949f203ba35b0bb6d3e031ac770e3e6b451

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\ca.pak

MD5 83f9f785483cd92a73843ed98e674f86
SHA1 70e223dba0ecc5cf3f5fcf32278d97ff864c8024
SHA256 f7f54b55a917a0f68e4b7ed7a3e6feabb224c52d09786b939712607ebe8ab0ea
SHA512 df231f6774a9568cc4b85ad18d13c31cfb4de78830c72900ebd613d580e914e85eff85330ac9aa85246a0e4949891fdfb224ac615a03fcb0ce05b989391963e8

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\bn.pak

MD5 9340520696e7cb3c2495a78893e50add
SHA1 eed5aeef46131e4c70cd578177c527b656d08586
SHA256 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39
SHA512 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\locales\bg.pak

MD5 38bcabb6a0072b3a5f8b86b693eb545d
SHA1 d36c8549fe0f69d05ffdaffa427d3ddf68dd6d89
SHA256 898621731ac3471a41f8b3a7bf52e7f776e8928652b37154bc7c1299f1fd92e1
SHA512 002adbdc17b6013becc4909daf2febb74ce88733c78e968938b792a52c9c5a62834617f606e4cb3774ae2dad9758d2b8678d7764bb6dcfe468881f1107db13ef

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsa61E7.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2a4d090b-f2ea-46e1-a616-bc3a47a6cae2.tmp.node

MD5 aa8da32ebca307d4f99cf2da290afd22
SHA1 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256 ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512 d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

C:\Users\Admin\AppData\Local\Temp\f7becfd5-bbff-4aac-be9c-98f638637163.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

memory/1816-568-0x000001FF384B0000-0x000001FF384D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oesez4mr.b15.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1816-572-0x000001FF389D0000-0x000001FF38A20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f69f145ee494b2d67c5d50108c862d4a
SHA1 68f36b9bd553beb2a7eec5f4a8fef317703c77e1
SHA256 06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7
SHA512 302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 64726b3d39febd6825a6dd0419be008b
SHA1 9dc2c08dfe4223cc394a14582f304681a03b5571
SHA256 833c6348ccf6885385f25f0797b770b390f29bf4120053b7975aef0fbf7fd62c
SHA512 900440b8a5fb8afb525dd7b1a0344175703a402ae667573bd2cd77ad743fc7454929cd470375c668d24f9d8986198fc824fee002db63e4f96709f6850eacab45

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\xx_lol\Browser.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

memory/2960-642-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-643-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-644-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-648-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-653-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-652-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-651-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-654-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-650-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

memory/2960-649-0x000002BEDB120000-0x000002BEDB121000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:33

Platform

win11-20240508-en

Max time kernel

85s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:33

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4928 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4928 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 4200 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1960 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1960 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 1436 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1780,i,16223557729738766477,15991875678896169909,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2060 --field-trial-handle=1780,i,16223557729738766477,15991875678896169909,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,92,189,224,153,149,154,254,15,90,25,191,67,109,35,188,255,47,151,9,21,172,109,172,152,78,250,241,191,140,181,162,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,235,215,220,194,5,197,88,53,204,186,212,66,146,226,188,79,204,39,241,55,33,198,3,57,197,104,32,254,164,222,53,48,0,0,0,190,0,161,123,65,14,46,171,239,38,157,125,28,95,192,236,16,13,130,184,221,191,110,38,80,70,146,60,47,32,10,203,90,20,66,70,106,81,223,50,206,68,184,16,75,136,60,134,64,0,0,0,70,232,28,94,65,45,27,44,230,217,177,254,232,17,18,175,206,168,72,136,197,118,127,130,242,66,19,188,10,231,102,228,166,149,101,103,226,180,241,31,220,52,111,182,118,173,9,121,124,121,42,179,127,86,97,46,106,209,100,22,161,216,139,82), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,92,189,224,153,149,154,254,15,90,25,191,67,109,35,188,255,47,151,9,21,172,109,172,152,78,250,241,191,140,181,162,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,235,215,220,194,5,197,88,53,204,186,212,66,146,226,188,79,204,39,241,55,33,198,3,57,197,104,32,254,164,222,53,48,0,0,0,190,0,161,123,65,14,46,171,239,38,157,125,28,95,192,236,16,13,130,184,221,191,110,38,80,70,146,60,47,32,10,203,90,20,66,70,106,81,223,50,206,68,184,16,75,136,60,134,64,0,0,0,70,232,28,94,65,45,27,44,230,217,177,254,232,17,18,175,206,168,72,136,197,118,127,130,242,66,19,188,10,231,102,228,166,149,101,103,226,180,241,31,220,52,111,182,118,173,9,121,124,121,42,179,127,86,97,46,106,209,100,22,161,216,139,82), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,212,42,2,65,16,208,86,239,119,31,48,12,125,255,255,16,35,229,28,212,118,235,50,133,44,37,118,117,201,246,141,209,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,164,249,209,239,154,151,218,48,206,11,82,161,3,159,9,224,155,252,245,175,208,199,64,94,88,244,43,40,88,194,246,48,0,0,0,139,84,34,152,122,62,162,151,147,226,168,84,240,87,105,110,166,215,210,118,192,192,245,219,97,138,74,192,131,101,218,100,49,184,183,187,125,119,185,182,32,14,67,163,25,109,208,13,64,0,0,0,227,205,221,78,197,37,10,166,0,128,167,243,193,236,123,89,55,116,6,215,52,123,147,52,72,250,198,255,30,6,10,45,139,195,88,251,172,7,9,40,196,46,34,184,241,154,11,218,245,73,126,185,94,212,164,210,43,132,173,66,17,12,245,143), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,212,42,2,65,16,208,86,239,119,31,48,12,125,255,255,16,35,229,28,212,118,235,50,133,44,37,118,117,201,246,141,209,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,164,249,209,239,154,151,218,48,206,11,82,161,3,159,9,224,155,252,245,175,208,199,64,94,88,244,43,40,88,194,246,48,0,0,0,139,84,34,152,122,62,162,151,147,226,168,84,240,87,105,110,166,215,210,118,192,192,245,219,97,138,74,192,131,101,218,100,49,184,183,187,125,119,185,182,32,14,67,163,25,109,208,13,64,0,0,0,227,205,221,78,197,37,10,166,0,128,167,243,193,236,123,89,55,116,6,215,52,123,147,52,72,250,198,255,30,6,10,45,139,195,88,251,172,7,9,40,196,46,34,184,241,154,11,218,245,73,126,185,94,212,164,210,43,132,173,66,17,12,245,143), $null, 'CurrentUser')

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1328 --field-trial-handle=1780,i,16223557729738766477,15991875678896169909,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store3.gofile.io udp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 233.10.175.136.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FR 151.80.29.83:443 api.gofile.io tcp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 136.175.10.233:443 store3.gofile.io tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
FR 151.80.29.83:443 api.gofile.io tcp
US 136.175.10.233:443 store3.gofile.io tcp
FR 151.80.29.83:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 136.175.10.233:443 store3.gofile.io tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3604a658-f61f-42e4-a06d-0d4c224197e8.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

C:\Users\Admin\AppData\Local\Temp\c3ef9b7e-6f73-4461-99c8-2d8fd5607ff2.tmp.node

MD5 aa8da32ebca307d4f99cf2da290afd22
SHA1 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256 ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512 d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_te5puvwo.vem.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4932-16-0x000001FF1A530000-0x000001FF1A552000-memory.dmp

memory/4932-21-0x000001FF1A9F0000-0x000001FF1AA40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f48896adf9a23882050cdff97f610a7f
SHA1 4c5a610df62834d43f470cae7e851946530e3086
SHA256 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA512 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e528d7b6384bede31960a08c033c38d3
SHA1 46d0249de41ef0f0d149170b9c1fa649d00c63b3
SHA256 d6dad7428a2ca05a4e48d115ec7370539f77c794ed93b753c57bfc0959afd32a
SHA512 5efb4243d9bc512c548f9168dbf873ef0ee7539b7b2c430611b14dd27b2daada152e2d39b41e98f3b96d20ba0d76b78124bdbd395d1b7eeac75f53db3f8cbef6

C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\webdata.db

MD5 079a696bcf1d85d290ea94324f8fea01
SHA1 15819c37e62568756e0c64af555b19c36f2b03c9
SHA256 97adfff767fb00f67212b0e36ade8d75f97f1e3619e1658193003e306d8a1afa
SHA512 7ffd8f6f23838beaa4ef4dbfce8347fb8725089e4271d8a2699c19ac5a42fb3868122d39fe0e13a6f132160934a81fe2c41c7d679f1236ad3c0f85b177ba0b65

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/3388-110-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-109-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-108-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-114-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-117-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-120-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-119-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-118-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-116-0x0000016D70170000-0x0000016D70171000-memory.dmp

memory/3388-115-0x0000016D70170000-0x0000016D70171000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 15:27

Reported

2024-06-02 15:32

Platform

win10-20240404-en

Max time kernel

77s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe

"C:\Users\Admin\AppData\Local\Temp\Vanta\AutoHotkey.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A