Analysis Overview
SHA256
fe3e8b0fb23d7889d8e1cf58ddec37d255393ccfb6017f27032604e53aa1b3c8
Threat Level: Shows suspicious behavior
The file Vanta-Loader.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Legitimate hosting services abused for malware hosting/C2
An obfuscated cmd.exe command-line is typically used to evade detection.
Unsigned PE
Program crash
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies registry class
Enumerates processes with tasklist
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 06:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:25
Platform
win10v2004-20240426-en
Max time kernel
28s
Max time network
37s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:25
Platform
win10v2004-20240508-en
Max time kernel
9s
Max time network
23s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:26
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:26
Platform
win10v2004-20240426-en
Max time kernel
22s
Max time network
23s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe | C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1820,i,11960413089767931548,8449855656748798269,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2060 --field-trial-handle=1820,i,11960413089767931548,8449855656748798269,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,149,19,144,89,112,59,59,251,229,141,202,64,101,240,104,137,13,3,69,53,156,155,146,175,90,146,162,246,238,201,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,8,59,176,18,137,226,140,52,19,171,62,247,31,153,110,138,40,43,108,72,120,10,22,206,204,166,195,251,206,76,84,236,48,0,0,0,182,67,21,24,178,28,183,38,171,5,235,33,128,96,100,191,115,29,3,244,255,89,222,94,221,44,46,134,199,244,235,56,71,157,109,19,168,133,44,36,119,44,14,122,209,122,31,112,64,0,0,0,122,214,19,81,118,163,136,78,57,148,251,210,240,3,134,99,156,175,50,154,230,153,101,220,35,132,92,147,223,230,14,232,202,102,120,97,201,199,70,225,226,97,114,2,149,239,63,52,211,209,152,49,2,92,152,238,148,185,58,73,30,45,12,201), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,149,19,144,89,112,59,59,251,229,141,202,64,101,240,104,137,13,3,69,53,156,155,146,175,90,146,162,246,238,201,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,8,59,176,18,137,226,140,52,19,171,62,247,31,153,110,138,40,43,108,72,120,10,22,206,204,166,195,251,206,76,84,236,48,0,0,0,182,67,21,24,178,28,183,38,171,5,235,33,128,96,100,191,115,29,3,244,255,89,222,94,221,44,46,134,199,244,235,56,71,157,109,19,168,133,44,36,119,44,14,122,209,122,31,112,64,0,0,0,122,214,19,81,118,163,136,78,57,148,251,210,240,3,134,99,156,175,50,154,230,153,101,220,35,132,92,147,223,230,14,232,202,102,120,97,201,199,70,225,226,97,114,2,149,239,63,52,211,209,152,49,2,92,152,238,148,185,58,73,30,45,12,201), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,87,225,225,105,74,250,17,14,121,162,50,56,214,71,202,251,32,121,40,26,5,205,214,52,26,191,58,177,200,241,246,155,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,137,230,184,142,248,175,36,120,222,4,110,117,60,85,255,52,21,39,177,126,38,76,194,9,75,54,127,87,52,196,251,57,48,0,0,0,62,242,129,76,25,82,189,44,92,5,130,128,156,115,35,25,175,83,81,85,159,232,192,255,184,181,3,127,179,216,232,85,78,47,144,255,115,62,133,108,75,82,5,154,21,128,253,243,64,0,0,0,96,3,115,172,134,228,139,54,161,25,254,150,216,24,138,103,124,43,211,181,183,191,211,17,78,104,20,9,218,8,230,157,99,145,15,109,156,238,65,113,104,211,133,73,126,187,22,212,132,81,131,66,39,202,237,184,142,225,59,166,44,170,47,76), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,87,225,225,105,74,250,17,14,121,162,50,56,214,71,202,251,32,121,40,26,5,205,214,52,26,191,58,177,200,241,246,155,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,137,230,184,142,248,175,36,120,222,4,110,117,60,85,255,52,21,39,177,126,38,76,194,9,75,54,127,87,52,196,251,57,48,0,0,0,62,242,129,76,25,82,189,44,92,5,130,128,156,115,35,25,175,83,81,85,159,232,192,255,184,181,3,127,179,216,232,85,78,47,144,255,115,62,133,108,75,82,5,154,21,128,253,243,64,0,0,0,96,3,115,172,134,228,139,54,161,25,254,150,216,24,138,103,124,43,211,181,183,191,211,17,78,104,20,9,218,8,230,157,99,145,15,109,156,238,65,113,104,211,133,73,126,187,22,212,132,81,131,66,39,202,237,184,142,225,59,166,44,170,47,76), $null, 'CurrentUser')
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store9.gofile.io | udp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 239.190.168.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store8.gofile.io | udp |
| US | 206.168.191.31:443 | store8.gofile.io | tcp |
| US | 8.8.8.8:53 | 31.191.168.206.in-addr.arpa | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store4.gofile.io | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store3.gofile.io | udp |
| US | 136.175.10.233:443 | store3.gofile.io | tcp |
| US | 8.8.8.8:53 | 245.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.10.175.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 252.70.14.31.in-addr.arpa | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 206.168.191.31:443 | store8.gofile.io | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\b636eacc-7b68-4720-bf63-a563b2100af7.tmp.node
| MD5 | aa8da32ebca307d4f99cf2da290afd22 |
| SHA1 | 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899 |
| SHA256 | ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db |
| SHA512 | d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7 |
C:\Users\Admin\AppData\Local\Temp\39543890-855c-4291-8a0e-21c79e6bdf3c.tmp.node
| MD5 | 04bfbfec8db966420fe4c7b85ebb506a |
| SHA1 | 939bb742a354a92e1dcd3661a62d69e48030a335 |
| SHA256 | da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd |
| SHA512 | 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65 |
memory/4960-11-0x00000192F2D90000-0x00000192F2DB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_02rbfjkq.apw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4960-21-0x00000192F3250000-0x00000192F32A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1b0e3f53981de4024598d155ed522cad |
| SHA1 | 7ac4e8a1b4b89c455b90c887cd778b66b2ca818f |
| SHA256 | 049b105bc3c6af55d6310a5041a367a31cddeb6dbbc67bdccb275ca7d17c8411 |
| SHA512 | 4f3a22482852a68d5aea984d9bac9fce6cc159b1b6a874e7a75c5b8415ec723c3da7503257bf7888af49d486afb032bb1e7c9337bed23d8a1f46e53d3ff3cb74 |
C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\webdata.db
| MD5 | d4993802b9cf3203200f899233c3e2fc |
| SHA1 | a632e8d796c8a0d1cf8cda55aa882b1a82b7318f |
| SHA256 | cff606c51ac13f4352de08f7838939c1e261bdc232a10bb94f6924d00cbd0dd6 |
| SHA512 | 1910cf846fe61ef744dc6bcf9062caaf6ab1856a64bd8aa6849cbddcdc8fa921f0cef16d0d9cc38842345f5873724b27764307076bd50bd46bb74f643cde03bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:26
Platform
win11-20240508-en
Max time kernel
1s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:23
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 392 wrote to memory of 1852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 392 wrote to memory of 1852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 392 wrote to memory of 1852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1852 -ip 1852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:27
Platform
win10v2004-20240508-en
Max time kernel
27s
Max time network
35s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:25
Platform
win10v2004-20240508-en
Max time kernel
49s
Max time network
54s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:25
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:27
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:26
Platform
win11-20240419-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:26
Platform
win11-20240508-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:27
Platform
win11-20240508-en
Max time kernel
0s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3840 wrote to memory of 3480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3840 wrote to memory of 3480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3840 wrote to memory of 3480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3480 -ip 3480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 468
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:24
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 224 wrote to memory of 1868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 224 wrote to memory of 1868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 224 wrote to memory of 1868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1868 -ip 1868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 460
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:24
Platform
win10v2004-20240508-en
Max time kernel
59s
Max time network
54s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625606388514871" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa740aab58,0x7ffa740aab68,0x7ffa740aab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1900,i,10464607981414401776,16876632663524777821,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1900,i,10464607981414401776,16876632663524777821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1900,i,10464607981414401776,16876632663524777821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1900,i,10464607981414401776,16876632663524777821,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1900,i,10464607981414401776,16876632663524777821,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1900,i,10464607981414401776,16876632663524777821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1900,i,10464607981414401776,16876632663524777821,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_4672_QUFEGEPEBWNQEYWX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 102f96d6c3fbbe7e57f89f3dde8f38f6 |
| SHA1 | 30fbb2bd9ca2258d7da1012161e3f08b5ca5b30c |
| SHA256 | 5f8246e31360bf2ba18851fad3692471546ea9af8146823a0f77748b3d60cf8d |
| SHA512 | f3b2e28474737be835b78cca59f05a1b8c61ff8e8bcd4b61df0de8a870def92f8b444c87a099a7855ac1b3313afad8ba2d94317c31a963eda9a8fb1eea46726c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1f973e6681ec00dd784730d9c6a56031 |
| SHA1 | 562a6e09c3799023afec7d69f9853efbad4f186d |
| SHA256 | a32a2e4e54d931f377b53a4d7f36bb16f618409fb8cf4c20f789975063ce7dd3 |
| SHA512 | 76bf23a0d95d134a90e408dc85fd4b18d9a2a105116d6ba5c6deb97645c481f0be0cf4617be6df5c1f28808dcbd5b6909fbd4de837328ba1c2ebd163db2a33f6 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:24
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:26
Platform
win10v2004-20240508-en
Max time kernel
9s
Max time network
20s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:24
Platform
win11-20240508-en
Max time kernel
58s
Max time network
52s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625606402559285" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd156bab58,0x7ffd156bab68,0x7ffd156bab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1808,i,9278694756072283623,16624829101704040946,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1808,i,9278694756072283623,16624829101704040946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2104 --field-trial-handle=1808,i,9278694756072283623,16624829101704040946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1808,i,9278694756072283623,16624829101704040946,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1808,i,9278694756072283623,16624829101704040946,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 --field-trial-handle=1808,i,9278694756072283623,16624829101704040946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1808,i,9278694756072283623,16624829101704040946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1808,i,9278694756072283623,16624829101704040946,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_2180_VJWGPCOOCJWITMHU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7a25e515591993621edb68ace5a92e91 |
| SHA1 | dd0b7928bc1e6672219c86c347d7d99a426331c6 |
| SHA256 | e4f0f4a25aba8eb976fd9fa9b77fdad8f4d589c5f8b8a4cccb7bdaef306bf7c2 |
| SHA512 | a1609c5e1e1de67422edd20a4653af120433fa86bda56a4e2213b310bac592647ba388315c054b31094e24f62f3ceb99c2a21a3fc33a1cf1c2f6be4bb113b914 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c6c4a17f7eaf76c2f010174f9cface79 |
| SHA1 | 28b3dabd9f9090b6a7ca685ebb0772fee17fde1e |
| SHA256 | 4ed95d4fa30681789a1f7ef072bb890a0b3cab090fb6d0188379e2b900aaefcf |
| SHA512 | 95df29f214b0e9e25812853c58adbcada6b62753cd747aacf917b2e5ca94129951f180cf0cb2832e97a43e2aa3c1418d8a999eba19911103f3199cc4c296ac3b |
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:27
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:23
Platform
win11-20240426-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4288 -ip 4288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:27
Platform
win10v2004-20240508-en
Max time kernel
32s
Max time network
37s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 3896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1980 wrote to memory of 3896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1980 wrote to memory of 3896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3896 -ip 3896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 612
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:23
Platform
win10v2004-20240508-en
Max time kernel
171s
Max time network
173s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe"
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1788,i,16641817162947262200,1431784292294481193,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2044 --field-trial-handle=1788,i,16641817162947262200,1431784292294481193,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1788,i,16641817162947262200,1431784292294481193,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\chrome_100_percent.pak
| MD5 | 8626e1d68e87f86c5b4dabdf66591913 |
| SHA1 | 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c |
| SHA256 | 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59 |
| SHA512 | 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\chrome_200_percent.pak
| MD5 | 48515d600258d60019c6b9c6421f79f6 |
| SHA1 | 0ef0b44641d38327a360aa6954b3b6e5aab2af16 |
| SHA256 | 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce |
| SHA512 | b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\d3dcompiler_47.dll
| MD5 | cb9807f6cf55ad799e920b7e0f97df99 |
| SHA1 | bb76012ded5acd103adad49436612d073d159b29 |
| SHA256 | 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a |
| SHA512 | f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\ffmpeg.dll
| MD5 | 6418dfc9980cc0416a327961dacd41df |
| SHA1 | 2e32ab8ea0059606dfe66e978c271e0852406215 |
| SHA256 | 04bd8ee92194f076686eab2a94a119629b6d61e554782a0d4520359f1ceb24a9 |
| SHA512 | d3e98fe91bfa4f7b9363d8fbb6997f20f76a638bcb5345d9280f919a4bf13dfa02d190534d1965eccd95f2300f6b4d29b6eaec5d544e5428377d1e26daf501a1 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\icudtl.dat
| MD5 | 2c367970ac87a9275eeec5629bb6fc3d |
| SHA1 | 399324d1aeee5e74747a6873501a1ee5aac005ee |
| SHA256 | 17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de |
| SHA512 | f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\libEGL.dll
| MD5 | 13318cb90b385fb918ba6e07f1fd8d83 |
| SHA1 | 899985a7608268893c7fc1c9810568bdd8294b81 |
| SHA256 | 53a2d4c5ae582f15aad481e75e516ddabce9b756e553bed33720a66d2c5f736d |
| SHA512 | b5418f6bd2ab883dc1ef4d9f2c0a976296d06fe1309c6db7331a3470f198505561cabd41ecd05e675b90076196b4f82e8a9ef0574cfe96869bfb24d07cc82450 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\resources.pak
| MD5 | 9d000106fc3192e4c3d47031cf450131 |
| SHA1 | 814c455baba7dd4d9354ed061522fc4caad3e7b4 |
| SHA256 | d0e884b68e2b79162e88b5d4a593c3bb4a7c60c5c62f4e3cc69a346727e6f7eb |
| SHA512 | b19e926fc5223375685854a0b26a04efdcd8128e44b3b56f3ed2cccb860b9069ff6e49dbae053a4287f12de6796643021a316baaf3f8505f5574171d8c6cf885 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\LICENSES.chromium.html
| MD5 | c3528648bedbde1223a2faab1a3f9af3 |
| SHA1 | 934d3c8f184258338ff380964ed89053ce69ac5b |
| SHA256 | 57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2 |
| SHA512 | 3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\libGLESv2.dll
| MD5 | ad3edee84b49923e4847119eb4d6c6b7 |
| SHA1 | 8649be26571d3fa645c416f36c1bdc0b27f1d478 |
| SHA256 | 51c9f2e9aecf5745ad343185cd39a05f581c2062d644bedcb25a5ef4b9624591 |
| SHA512 | e504996b8371f294fa8a5173da48256e9070156249bdd7431e3adeacbd99f7cf39dc3c0876c4aa11da8d1932147cfaff91764c517a70d69d8c8e4876abbeea56 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\snapshot_blob.bin
| MD5 | ac47bd259a01da6c51f750ea210b52bf |
| SHA1 | d6682fc4a07ff2313bc8428137f533e8947692a3 |
| SHA256 | e87fb952df8e36a5461f328c37afd701f20c427810824e9541709cccb87c22b3 |
| SHA512 | 9bbd6e39597181da2cdaa0e3b4569e0a7a67b44f37be20b0bbe7cb6323501835427ce84044203c66c98b98fcf4e8e356e983be0e085f3020df93022d9c7e0135 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 4d89b46abac43cfaec5c80ab2f735e15 |
| SHA1 | 8985d96af0017b78c9b3791ea2ead72f3e32c844 |
| SHA256 | 4f69d3512c141d88a6137b08a1da04ab80d8e685bd5e9378865d6de828f0cb5a |
| SHA512 | 477a676586b066813f1d469be6891b2cbd9575528d4279fd7da34f359057ee6025f82ce31c57a9e90658d52fd2e94779bd5a8a9c3d8f2283874450f4285da3bb |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\vk_swiftshader.dll
| MD5 | 30d193f1976035cebec2c2d8f071c556 |
| SHA1 | 97b1d811743f03e888c22d975c9eb77ba92142b9 |
| SHA256 | 600e158b7d7fb95eb63552da1ae8159a6eb9bb04ff6341d11db2d10bd6c30c8e |
| SHA512 | 4eb6ec91fb060f67ea126c9c7dd7f672161d86302db41c7d999f33239a7c18062cc020c06ab9571f8023c846d22bd0fa5c020fb4c710bf6a21472002dccb6226 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\vulkan-1.dll
| MD5 | 7fdd1bec727e2b389c8ca84c407446c6 |
| SHA1 | a91343d9f52883325f52f28c5dd142f4ae07b3ef |
| SHA256 | d04035c59f49444bd3cafd71296afd70bad5daa6e28bf5d7de3ffd0e36a85938 |
| SHA512 | 2fdd95185507be9bcbf6cfe1f05ba47e71203b1dc3ce4cc1553e5fcfb576ab89bf018a8927fc5e6e451b00f56f7abb5f2efd504e1a674b42dbe80deeb13d669a |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\af.pak
| MD5 | 464e5eeaba5eff8bc93995ba2cb2d73f |
| SHA1 | 3b216e0c5246c874ad0ad7d3e1636384dad2255d |
| SHA256 | 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1 |
| SHA512 | 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\am.pak
| MD5 | 2c933f084d960f8094e24bee73fa826c |
| SHA1 | 91dfddc2cff764275872149d454a8397a1a20ab1 |
| SHA256 | fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450 |
| SHA512 | 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ar.pak
| MD5 | 6352905a290802a05dd3a64d22216f6e |
| SHA1 | 11adb10f0678079c8f73779bb039e12329bcaac7 |
| SHA256 | 00861d9fa5763cc5c3152edb4a5c956c6bc4f56311ce2ed9e6b496181624ab5e |
| SHA512 | 0b0dbad8201ebd1a7dc2cfb11325c509efbcced3ac3d337915cf2972defe2304ea9f8af91d9362cb51333459900a80b714e7302a6483ad58fd64404f8410b6ea |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\bg.pak
| MD5 | 38bcabb6a0072b3a5f8b86b693eb545d |
| SHA1 | d36c8549fe0f69d05ffdaffa427d3ddf68dd6d89 |
| SHA256 | 898621731ac3471a41f8b3a7bf52e7f776e8928652b37154bc7c1299f1fd92e1 |
| SHA512 | 002adbdc17b6013becc4909daf2febb74ce88733c78e968938b792a52c9c5a62834617f606e4cb3774ae2dad9758d2b8678d7764bb6dcfe468881f1107db13ef |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\bn.pak
| MD5 | 9340520696e7cb3c2495a78893e50add |
| SHA1 | eed5aeef46131e4c70cd578177c527b656d08586 |
| SHA256 | 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39 |
| SHA512 | 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ca.pak
| MD5 | 83f9f785483cd92a73843ed98e674f86 |
| SHA1 | 70e223dba0ecc5cf3f5fcf32278d97ff864c8024 |
| SHA256 | f7f54b55a917a0f68e4b7ed7a3e6feabb224c52d09786b939712607ebe8ab0ea |
| SHA512 | df231f6774a9568cc4b85ad18d13c31cfb4de78830c72900ebd613d580e914e85eff85330ac9aa85246a0e4949891fdfb224ac615a03fcb0ce05b989391963e8 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\cs.pak
| MD5 | f36f1b2ff12fb87a578c36f73f5aac83 |
| SHA1 | 73f61f7b6f191468ff4d9566a0bb6eccf1069cac |
| SHA256 | 877a0a3dcb5d393365b2f775faff0d3593dd84b380a27dc72025597061a50ba7 |
| SHA512 | c61a38f937dcc90c7dd5b87d9514147b6362d339d9af85bcb3677bb12ae5715d05426f6e67ffd3b441cc41530883a227096b4135b98f2d5c73f51612e0a0e4c9 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\el.pak
| MD5 | e66a75680f21ce281995f37099045714 |
| SHA1 | d553e80658ee1eea5b0912db1ecc4e27b0ed4790 |
| SHA256 | 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f |
| SHA512 | d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\de.pak
| MD5 | 1b928ff4831916bbe39e4b2e08f52267 |
| SHA1 | dd8788bb4d386f7d0b8e685a09cc9ca361b7c31e |
| SHA256 | 9c335a4e85b4ac58ed386d89d284be053ef288b2706a4cae433d91625ec1b31e |
| SHA512 | 95dc4ecd45708277618a913bd07073a7cc61b642ae14fecc91ac0548898771a522a0672ee67399e5f5c8ca3006c37aa878b74af1f41717b9607c00f49e40124a |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\da.pak
| MD5 | 7ff057b530184205100dbea8635a29a7 |
| SHA1 | f6e22b2e37e6d7bf0ca9bec220650f01d1a4a091 |
| SHA256 | 40b32636ffb813574d8a063ce7e74860ab06b93a9b16dd56b5b6aa602b5e6943 |
| SHA512 | 09b7b6c280d98f21beeddf1b9e5834462f29d299a64276c198ef3eab466b352695172d2ff118664c34e51a2b73e21949f203ba35b0bb6d3e031ac770e3e6b451 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\en-GB.pak
| MD5 | e0c79cf2e5b790386e44b125d8e1a5fc |
| SHA1 | 1b75baf8035b81d6494f9f36930bbc8c512e1dbf |
| SHA256 | 6b0e81b2198e025eae1e2f6d5d3a33ccce034d1f4bc59e4cade1b5f5adb99f1a |
| SHA512 | e4feb64ce7edf416422127280cf87967a5e6b20436a8ed33932b1bade73f0691ac819449d38fa0d8a81b888d6319f0b3167aa16e225999dfd6e7800d2365f2a6 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\en-US.pak
| MD5 | 19d18f8181a4201d542c7195b1e9ff81 |
| SHA1 | 7debd3cf27bbe200c6a90b34adacb7394cb5929c |
| SHA256 | 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb |
| SHA512 | af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\fi.pak
| MD5 | 7243727348009668ded33dd0109118c3 |
| SHA1 | aa19e2e340c8328132d12ff79d8fd6b02c512a48 |
| SHA256 | 6581fca26336f66d8ba898ec1253b237db30e7cd1a25fc788290d7ace96fa6e1 |
| SHA512 | e890346915c0891a9f49640f232f6633e25655b969911a6697adfea709cec59bb925678e0b97424936c59d523c3ee9e2dc23f115e20c45ca3ed51ae691d0d7f0 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\fa.pak
| MD5 | e861a65f12b38a3def1fe9e933cae275 |
| SHA1 | 8d083b5902a15a63ef11c7783f12e088d333fcf5 |
| SHA256 | f9a8e3b9bbc809f11cc3dc32811940e033bd78a31ec154d28321473f8efa1e4d |
| SHA512 | d1fe91c693c794b4a4d60560800c919977654832e8f6e34fb1ec0ffbf5c411cf35b0a0e22e036dca48a246ab8d6bea0427c5ceb232d460e9c59cf4163d55314c |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\et.pak
| MD5 | 8b3cb5e4b8ac769bde84e5c375c1774e |
| SHA1 | 53665908d6ec12095abd766911d8abcc84c6da58 |
| SHA256 | c351b84558214420495bed6d882d37496483cc66b0e10400ca872e3fc4145b66 |
| SHA512 | b0dff640d32e5c277f2d3441abf823e8859f28f215cfc63fde8a968cbc9b9531aa0394e10fa98284d186323e3357ea2265d762dc034be86bb50f5c55630ab4c5 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\es.pak
| MD5 | e42486833449ea57261d5bbdabb8b4e2 |
| SHA1 | 09734ed71302c7a3bf5f84dee1dfab7732bc0745 |
| SHA256 | d539c88c4493cb1d9eae600611e3119fe129ec95149049f4b62fc3a97d78ca61 |
| SHA512 | 8ad283323c3f2e7a9d2e33eb86c371be6a9e29d9243e0d74d5936606692367212f81825d5c313a8859ff8de84eb6d23cbfc577ca47185392da803717f29e8b24 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\es-419.pak
| MD5 | a510ff6703676bacde7e528823878018 |
| SHA1 | 6551a7dac1c3fcd839b8d7c6ca92470f30a93d0d |
| SHA256 | 77114f519743741a488a9b57cdc7190f0507c37dc3b29811704a048172ba6736 |
| SHA512 | e9b75bc92eb077db57f906ef544b2339c4eb4f6eddf65d2570c36a00ab4b8a167a53e869d81150a7d097ecbf4ba19625ad4228f133392cc850352fe66fea47e0 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\fil.pak
| MD5 | d7df2ea381f37d6c92e4f18290c6ffe0 |
| SHA1 | 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4 |
| SHA256 | db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a |
| SHA512 | 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\fr.pak
| MD5 | 3a5bb07820cf46c0f4a81a25724fe870 |
| SHA1 | dbc296c1fc516c60d453253ee341ca4d31554230 |
| SHA256 | b62c51b85545b3f5d70ac9c684a111689044636eafaeb196f5d52760e0f96f91 |
| SHA512 | 0222f7a8bf3a6f77fcb9ab7eb0d03509d15bb8634d556547ed55141d550af241a525cc99eb13957744fe2e6d4732b9dbe4d078cb3555b16af6c13e20b9f4e8a1 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\he.pak
| MD5 | c6937badd93ff4ae6f6a2c9e31f678d5 |
| SHA1 | b3175d7bebe340ab08e0d8e85d550a076b073c55 |
| SHA256 | 3cd4440501bc67d0b2e33e1346ba133fb9a09a8762f2334732f8cc349cd840b7 |
| SHA512 | db232d7da04b4a854fd399fa04779469ec6fd0a752c4da7b2eed6d1aeaca4a096130fe326c91d777131d1a8ba32637d884e518f1522e9658d233a35e5eef9397 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\gu.pak
| MD5 | 9e189d21ad5843b69c352466c94cdc4c |
| SHA1 | 99af98cc510abe726b54f28488f647ea6f7d4c91 |
| SHA256 | 9c210e3143f99df59bebea6bdb6e30959f8520d59a20fffd437f7029840bb3a9 |
| SHA512 | c3007f45ec20c3c3e763f20be1a5557f548a28757cb032617c20fe7d44b7524368b75b8182de243048aa56b939b2a790b5b85cf359b009c4c20c41089e8992e8 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\it.pak
| MD5 | 8cde7372fc5095e581bf64fb77e04d61 |
| SHA1 | 0d30e0ae2c401a06ffb4056bab44d2b5d3970492 |
| SHA256 | d011fd39c3cbab740a7944a60a8dd48d6f76c563ea473cfd1f569c5e6fc9fa4e |
| SHA512 | 83778880ad95b39b5746d512aa116b05928f580f0c5e75b45cddcb80addb24cf079f73f65771e1d75ca18925ea6fdb86283aa060af2cd1308dee53ee728f76e8 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\id.pak
| MD5 | 366d1b2c3759d6ff9c588f53ec9a7c5b |
| SHA1 | e9d5c6e8311c6f7b7c4ad997db0cec5c11cfd754 |
| SHA256 | 0853a5543923b7a8db5989ebb8ebe8f9fb6271bfa59b94f5843f97de4401e2d8 |
| SHA512 | 879e72625fd112cec85a6489c590d7e89c65753d2beee259f7393e7377729d40bbb8cd0a2a9fcfde93d14c2cc9a97879312e60ab26035970a632e36d2f8d9e53 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\hu.pak
| MD5 | 2aa0a175df21583a68176742400c6508 |
| SHA1 | 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a |
| SHA256 | b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72 |
| SHA512 | 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\hr.pak
| MD5 | cbca0ad35cfa5c4b852cc8f556706b0b |
| SHA1 | 608d2e11a40e5e15a2840e248a249d1562ba9846 |
| SHA256 | 6ea4b1a28cf567cca73ccdb7eec631fffba3b49acc41e3c88b448514578d80da |
| SHA512 | 5b6f01c10d613f278d507d43fb0c708b32fd486d9b5a5f31a9837d0b1025da6ff85772b8f39e192cd8625d363be570565fd4eaf0f8d11c17ad6cbd956893022b |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\hi.pak
| MD5 | bc777a1010c846906d05d75d82f5dea9 |
| SHA1 | 73bbeeda37164845ca3f4f2827165b4023f8a194 |
| SHA256 | ccf7a557d0f8353ff3d656d4c2a4fca2d462ed2cc3d18c599d98f4d57b23c615 |
| SHA512 | e6a01b80adfa31fa93d48fc4f1ba9222d21b8ed7734e664e4f274843b46d826ec8863483c0e8647e39ad85988dfe0a2848d32a26ce1fdd8a0eb85e4fe64be292 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ja.pak
| MD5 | e9133185d2339d0a2f68c4c739eb3615 |
| SHA1 | cfa6db85ec99bb38b734254b7d4a83d12ee5cd00 |
| SHA256 | ba2acb635671a48ed0bf8cdc6e0a0318cfb33eb74b4171c6b483b95f2a167bc5 |
| SHA512 | e89c886a601943d2089bad27ce9458f95929fd39fd2f88da0545f71e9d18a678eafc303630d0f94ab3af7c77ad19fabdb2616a2d004151232bc6ce1ae8e4c46e |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\kn.pak
| MD5 | fccd5d8ad5e1c774771b19dda55d9b9a |
| SHA1 | fabbaf469e4aec44342a7e6f74b837cde2203b71 |
| SHA256 | 47c77fdf73267865a025a54027865a8d67e26943264a43c6e794ccbd6eec549b |
| SHA512 | c9dc6cf0ff5a4094cc07ce4881319778a076b44651b16a220940d7a587ffaa92b6b80f7264605a3c8e6dd780e9c3d8e4d403d01cd8f94e0122ac19cd4d636aac |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ko.pak
| MD5 | 54ace51d8b687e36a66a2bfde258a550 |
| SHA1 | 1b2fe7c62e3f2c7deede2034e44980e02afa3b4d |
| SHA256 | 8d131066e2fa004e11f9128162bfc354d3254381059d6c852bf88a55859ae3e8 |
| SHA512 | 50b825a88d646a32a4d620bcdf5ce490c8dfbea628c5256a6918dc647c42385f955396ec5d3b32cfdb50153897cf303cd517bc9f62663b14def2dae42229f640 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\lt.pak
| MD5 | 64b08ffc40a605fe74ecc24c3024ee3b |
| SHA1 | 516296e8a3114ddbf77601a11faf4326a47975ab |
| SHA256 | 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e |
| SHA512 | 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\lv.pak
| MD5 | 4468d6a6114d5a7ea3c1173ae9a8250d |
| SHA1 | ef664a6a140fb7a244bce44ff8c73250856d8061 |
| SHA256 | 0ff66161377be2fb8b2b456a64dd910d8375a2b9f1f6f22333540a77111903d6 |
| SHA512 | db4179b53cd44f297f5455a167ceccdd2a384c5296311346fa53f15ef5acab76cd166df13dbdf22b0c85a66455f22218e88c02fda2c5e2f863b9f4e7ea6e9a56 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ml.pak
| MD5 | 038b9eb34737bf472fde68b91a40f122 |
| SHA1 | 64771e91d4fdac0b909c6f446cc2f310be7d1320 |
| SHA256 | 27b7947e36a521403de094cc563d5eced1e46f98e4d6b872fd424352f798e84d |
| SHA512 | 3c96b42ab838f2ad5434e719f5906427a5fb327967d04c8498f3af4e913de833ac9cce6545fcfe0de2dc920cdf54c8b31c1d1527f609f90bcf9728d7bdbaac7d |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\mr.pak
| MD5 | 5657d67f6d21b507aab24ff62b0d4701 |
| SHA1 | b685a327c525b7e42eece306984e6d88dd803a29 |
| SHA256 | 671c3cb2a805a63a275ad608d37d0577c6a2813dd67fb6c2b70f8232323aac04 |
| SHA512 | 637c60834edc6f31c80692274af05e3f78466cd5ddb2fd7c79315b0f54939f41f25c3b30c86fd10751d032def1f99cb853c3186128a76a3a82a6989eaf14a835 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\nb.pak
| MD5 | 55d5ad4eacb12824cfcd89470664c856 |
| SHA1 | f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673 |
| SHA256 | 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261 |
| SHA512 | 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ms.pak
| MD5 | aee105366a1870b9d10f0f897e9295db |
| SHA1 | eee9d789a8eeafe593ce77a7c554f92a26a2296f |
| SHA256 | c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939 |
| SHA512 | 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ro.pak
| MD5 | d8b831a4896af7c78c534f1e8676ae37 |
| SHA1 | 175da19445b975b24a1e7bc8ffafa93d456ed10c |
| SHA256 | 3a58f2275ea6a2baa68924b1dab6b0f06abf8b6657a878dea94b0060a95e38f0 |
| SHA512 | e7e75dc7f92eb28759b567ec395f2a951c0e71284c75b9e2c4efd92209dda5767d51d51cdf591d04baddcfe88fbc2c8e6851a904d631b69bd801b9568767d948 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\pt-PT.pak
| MD5 | e032c0d39df2b7bfc71ece3bfe694039 |
| SHA1 | 6664f303bae983a1bffcba22e9df712bb3cb59d6 |
| SHA256 | 60a5a7f03d4d54397ca04be0c89d1f67a496b72807c0bd660c076bc945b40339 |
| SHA512 | 3f12ed39848ad76411d4d84b2ccef59e2346d40c8e7ddbf6e333a2323df737d864126777fb54a15e90283ced2e7f04a7dda561fa2ebe13b30e082988b13e1406 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\pt-BR.pak
| MD5 | 3701247a5ac607053278aea185ee6616 |
| SHA1 | 8cb40ddd4865347677f8d327792c6edb69012f76 |
| SHA256 | 7f41c3a58d08d98f21232e7c85839c9dec0053b447bb4dae867d2faadb278d45 |
| SHA512 | 637070ebc4411fb92bef5ff75eff46602db8ed59021f37f1a0d8201093f047419c558ec1af49c4dbbb4f58e7169e2f2cf04af7e1d11a57d39ab1cf036cb8497c |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\pl.pak
| MD5 | fbc79131a645b3853b4fa97c2b589a07 |
| SHA1 | 91c6d4386384efa9074956b9e811a0aac385aa4e |
| SHA256 | 0948238576efb502327af4040c1d9eb1346fbf1bdcee35cd46746b170a7ea6a7 |
| SHA512 | 0559d787bb7e4fa32a70c19cf0d1b2962d3869363904c13f345ef733f1193c73a13bad9600d7a5ffacf60b92cd97c27e27f7c4b7e143d0925fb358498c92f8cf |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\nl.pak
| MD5 | 285f965bdfd40491c0669f41a1c9e2f5 |
| SHA1 | b5c17191ab4d152c7793b6dec0a2e8f1fc298a89 |
| SHA256 | b20178135b9f21feef0315fb2f2bc574c2876385e607a539ff0ce6ae7faf707b |
| SHA512 | 03de0c35bc75fb96cc5871b5d06a49d99b92864541a3a03816c1245bef567401b260ed94b99818f81273395b1ec60a9f6cae22084ef34e01a95cc41da4fbd1b7 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ru.pak
| MD5 | e582616cb61afb76688aa7669936bbff |
| SHA1 | cd2e894a59238ce90be527156243546b4a3fc53e |
| SHA256 | e4edec80c9e29357bcf31eda5d8b046c6c9fbc6434a0b5594b6a906d5f1407d1 |
| SHA512 | a5346390b6ec966d75839fb84e8d7284db55065b1a032ecd869a06555cdf116caaad73f9b059c92c17d5a5fb310a41c5f3b2461eee531b231adacb1b3d3d6cec |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\sk.pak
| MD5 | 07498676ad49df5cb1a14d91e2fc2353 |
| SHA1 | da344ebcc2ed566b45668c8ff5b950cb921af71f |
| SHA256 | b7ba1d08ac8498ea6a37186a51b30d6d0db17136ac734982af4dab97f4a6cd9a |
| SHA512 | 548dd27e98700681941ac13e6cf90a70c66520f70df51c75ecfbb32391805ee536a34f3e90400c1cfb34b750c9415378e1a75233db614c94a057da64d3369d91 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\sl.pak
| MD5 | 83ef046784c1b113e827cb744bcb8656 |
| SHA1 | f6f3e0e975e7d3ca8e06f1988cb8a1c182eea734 |
| SHA256 | ab2079923e2baa27c220df2f1559af8edc785f8e9fe2e12c8ecb0e0e7e7d0a09 |
| SHA512 | f62f7e1eee91f5d42d591abbc7cb0fdf639834090824e7ab7f4dffb1e6c108c540074fdbadd5e153caecdb37b722ed9f737f13cbab387685013781949b9ee321 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\sr.pak
| MD5 | c68c235d8e696c098cf66191e648196b |
| SHA1 | 5c967fbbd90403a755d6c4b2411e359884dc8317 |
| SHA256 | ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b |
| SHA512 | 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\sv.pak
| MD5 | 251682c6f4238bef8ab5471870a5454b |
| SHA1 | 2bf36466446abe39d487c61898d335901bbb09b0 |
| SHA256 | e1cbce672de3ba3a01272b9b763dcfd8229fba0883df2b4117ac6b0f9916c073 |
| SHA512 | de1e507b24e71f60c298253aacff49724b6a8c6336455d8dfcc6e939e53ed5e7a95dc5574e66a7fae38b6666446ac9cd83e5ad1b794b4ffa38d06052663c1f45 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\sw.pak
| MD5 | 67a443a5c2eaad32625edb5f8deb7852 |
| SHA1 | a6137841e8e7736c5ede1d0dc0ce3a44dc41013f |
| SHA256 | 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd |
| SHA512 | e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ta.pak
| MD5 | 292f763cb8eb588659eb7cc25cf57d2e |
| SHA1 | dc42622f272843cb3afce9968146b85a98485237 |
| SHA256 | d5bfe0699342b8bba6c4c73c115b1c7f3f903c4ed95d77461c34369f2f60d5ee |
| SHA512 | 100ec32914f0d140baa414180cb2ba34e95f75ab73a0c036d6d5ebb64cc69b2b7c62b9e3f9de192bab8ddac3b387b953bed2ca1fd3bf0aab0198b9c1f2911151 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\te.pak
| MD5 | 41e49a1ef6850d90e0cbdc720c45ea5a |
| SHA1 | a2fbe1585a1b653ac6acccaf6184ae2de3e007af |
| SHA256 | aa2b9d1ad8591e91872c3fee62b111b74d6e7e890a47d0bcc388947ae5245290 |
| SHA512 | 687ff66471248104f8780f142e1810ccc7275857e4bd188447d01cecbe74ebac4070ab135d4a7111bc5f4ae17247dd865f21a2d3e73031534dac1f5117bc4570 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\th.pak
| MD5 | f9ff2275865f2cdebb9b0d19d4fb57a1 |
| SHA1 | e83c6c8e0005bf34771af3f1c0c9d8ebaa822f95 |
| SHA256 | 3d4556bc0f26b89d090a8a779a8fda8f6fbe157a23181cbfb1d6c67a6212b864 |
| SHA512 | 96f596bb564e62bbafe62774fba1cefa644feff47a331e54cd7dc9b85b29f2a2e8e785e85d90cccc27f9a1c735b0a8c6dbe01fa244601f1359194f64a49ee6d0 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\tr.pak
| MD5 | 1525dd38ca529c56f9d3e08293385690 |
| SHA1 | e0dfb9d60a3469d701dcb9ead8f8cd2cfe6fd604 |
| SHA256 | 5a7e1c8b572f67ed40e9d5107ddd6f8791b03138bb9933cfb26f1678b2c4a9cd |
| SHA512 | 195ffc165e45a51c12b03252759c5e1ff684e57b5994aeca608d40ef6799f29812add6fb2479e8e8c1655799f4dbf29e47272324b857b9161ad43a1b271eddfd |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\uk.pak
| MD5 | 88d51b6df9f3cec54eda732dcf2c63fa |
| SHA1 | a826200f112d5c69f1aa5837bc40d4c423515029 |
| SHA256 | e914b8956745a14d9d64f12698805e0910f9d3581dd380468949b54576fad2a6 |
| SHA512 | 3ed8f2090497597d4e2583901993331de19f9dc787ea886dabdaf22a79aefa2956e63501c9a50be34fabf7287b6751f50d9a5105e4f16a579961ebc0d6eff14e |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\zh-TW.pak
| MD5 | c651e23053764c38a4e8a7f34317f19b |
| SHA1 | 93cd303c91024748d283c3779f11402cfb4f5c0b |
| SHA256 | 9689ba3f2dc7248a3ab5db3b97d473e29464afbc7f2d1c7035f7e8e9a1c05aa4 |
| SHA512 | 1b7951fc4dcc2c08811dd3449fe2ce1302286b3eca21675adefa25a806ae7dcf91c565a111032fc5fda4dd9f5231875f0c77cdfd22ecc7d435450080d853a503 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\zh-CN.pak
| MD5 | 0d5b72258b56c584113a022e16777387 |
| SHA1 | 77f91e8c36befb818229ef8fef068e97f60ecf0f |
| SHA256 | 539f0bfdb461bf777aab14a4baaf47c8c32ae1856cc4ac93b23ce73dc50ba02a |
| SHA512 | 632c4ca60529c717fb2ba700d8f12017d097e67045639e2c30144a0372cecf595a2727d3505f019b91e8a15fe3259f2727bfb24e970dea8080a11e1a3dfa2068 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\vi.pak
| MD5 | ebb5db1dbb64895b1a25120d5ac9b5e4 |
| SHA1 | 810fa53a97fe42994f8a68698d582651d69cfd51 |
| SHA256 | ef3ddadb90dc73b73e25e9608626ce68d6778445812b8bd2f6c81e1f1e4bff16 |
| SHA512 | fba594183c7b672204330ca698f1e195026fc51d4e05db2c49e58a896c3b5e11e23286be0d6ffae3ec321e6c08322544df3c876dbce3c2e69a951985a84a2c91 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\locales\ur.pak
| MD5 | 1ca4fa13bd0089d65da7cd2376feb4c6 |
| SHA1 | b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c |
| SHA256 | 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f |
| SHA512 | d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsq62E1.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\07584c81-6797-47cd-b2e7-165261df83b4.tmp.node
| MD5 | 04bfbfec8db966420fe4c7b85ebb506a |
| SHA1 | 939bb742a354a92e1dcd3661a62d69e48030a335 |
| SHA256 | da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd |
| SHA512 | 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65 |
C:\Users\Admin\AppData\Local\Temp\90a1e1be-c11d-4971-b12d-db81899b6a14.tmp.node
| MD5 | aa8da32ebca307d4f99cf2da290afd22 |
| SHA1 | 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899 |
| SHA256 | ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db |
| SHA512 | d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qskc0bwa.kld.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2944-572-0x000001CC6D980000-0x000001CC6D9A2000-memory.dmp
memory/2944-573-0x000001CC6DC00000-0x000001CC6DC50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 498ec1e23f5b415ac2f1260e2df1f2dd |
| SHA1 | 09b361775c19385abf2c492a548c4f171b667bfb |
| SHA256 | c4f0af0ba6c245de8bb2c5e61bda7023deb0e252797c94cd8a5702291d29d60d |
| SHA512 | 3f91d169bf61ae67b7b8f252b2bb3710dce0c96adc7da3376df4c56960733d0b2644fb46a23e75d84f8eb0d445a5ee25c2abaff5e5558ced515aaaa41b16febe |
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\xx_lol\Browser.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/1428-608-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-610-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-609-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-614-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-615-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-620-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-619-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-618-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-617-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
memory/1428-616-0x000001E77C0B0000-0x000001E77C0B1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:25
Platform
win10v2004-20240426-en
Max time kernel
29s
Max time network
36s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:27
Platform
win10v2004-20240426-en
Max time kernel
27s
Max time network
19s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.85.23.86:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:23
Platform
win11-20240508-en
Max time kernel
140s
Max time network
134s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe"
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1808,i,17994174437818637900,13838936078825212159,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2036 --field-trial-handle=1808,i,17994174437818637900,13838936078825212159,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,239,192,3,118,123,40,22,70,180,62,37,193,185,164,149,15,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,234,53,215,219,1,116,209,32,52,95,151,180,138,206,89,106,37,206,161,123,38,62,247,10,5,66,52,95,39,106,238,137,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,55,249,133,135,110,132,211,144,185,124,159,39,71,105,102,254,198,80,201,143,57,115,43,222,19,77,255,199,109,252,60,48,0,0,0,151,85,137,97,212,75,219,155,241,68,249,232,85,201,184,51,197,190,68,120,23,34,158,34,130,142,184,110,27,62,49,110,183,144,84,10,91,110,127,227,248,34,152,152,119,187,116,226,64,0,0,0,54,110,40,95,148,115,138,183,177,162,188,129,120,3,112,51,90,229,170,199,219,76,253,90,233,206,223,236,105,203,140,51,136,167,252,151,130,201,241,71,149,112,226,77,117,211,14,224,44,100,253,80,121,163,222,32,28,197,156,5,90,17,196,205), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,239,192,3,118,123,40,22,70,180,62,37,193,185,164,149,15,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,234,53,215,219,1,116,209,32,52,95,151,180,138,206,89,106,37,206,161,123,38,62,247,10,5,66,52,95,39,106,238,137,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,55,249,133,135,110,132,211,144,185,124,159,39,71,105,102,254,198,80,201,143,57,115,43,222,19,77,255,199,109,252,60,48,0,0,0,151,85,137,97,212,75,219,155,241,68,249,232,85,201,184,51,197,190,68,120,23,34,158,34,130,142,184,110,27,62,49,110,183,144,84,10,91,110,127,227,248,34,152,152,119,187,116,226,64,0,0,0,54,110,40,95,148,115,138,183,177,162,188,129,120,3,112,51,90,229,170,199,219,76,253,90,233,206,223,236,105,203,140,51,136,167,252,151,130,201,241,71,149,112,226,77,117,211,14,224,44,100,253,80,121,163,222,32,28,197,156,5,90,17,196,205), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,239,192,3,118,123,40,22,70,180,62,37,193,185,164,149,15,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,74,221,126,180,23,87,137,72,107,134,130,219,232,81,235,55,64,35,174,146,233,245,140,83,31,217,193,162,80,143,20,150,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,107,169,53,150,184,248,21,195,218,112,183,29,244,252,216,214,234,18,77,22,215,141,200,158,244,217,244,3,253,141,76,64,48,0,0,0,15,46,88,3,110,75,1,104,185,134,162,81,95,180,133,6,44,174,164,121,228,88,217,82,244,77,54,192,202,102,208,110,130,102,233,145,203,199,60,128,154,79,8,251,86,143,32,137,64,0,0,0,60,31,56,19,174,201,150,69,233,27,207,28,1,185,110,57,140,128,58,128,53,58,2,174,182,238,52,207,151,235,189,84,134,37,38,60,146,162,225,250,125,74,23,113,52,195,246,163,235,15,84,235,218,6,57,207,64,233,203,202,120,20,52,24), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,239,192,3,118,123,40,22,70,180,62,37,193,185,164,149,15,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,74,221,126,180,23,87,137,72,107,134,130,219,232,81,235,55,64,35,174,146,233,245,140,83,31,217,193,162,80,143,20,150,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,107,169,53,150,184,248,21,195,218,112,183,29,244,252,216,214,234,18,77,22,215,141,200,158,244,217,244,3,253,141,76,64,48,0,0,0,15,46,88,3,110,75,1,104,185,134,162,81,95,180,133,6,44,174,164,121,228,88,217,82,244,77,54,192,202,102,208,110,130,102,233,145,203,199,60,128,154,79,8,251,86,143,32,137,64,0,0,0,60,31,56,19,174,201,150,69,233,27,207,28,1,185,110,57,140,128,58,128,53,58,2,174,182,238,52,207,151,235,189,84,134,37,38,60,146,162,225,250,125,74,23,113,52,195,246,163,235,15,84,235,218,6,57,207,64,233,203,202,120,20,52,24), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=796 --field-trial-handle=1808,i,17994174437818637900,13838936078825212159,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\chrome_100_percent.pak
| MD5 | 8626e1d68e87f86c5b4dabdf66591913 |
| SHA1 | 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c |
| SHA256 | 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59 |
| SHA512 | 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\chrome_200_percent.pak
| MD5 | 48515d600258d60019c6b9c6421f79f6 |
| SHA1 | 0ef0b44641d38327a360aa6954b3b6e5aab2af16 |
| SHA256 | 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce |
| SHA512 | b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\d3dcompiler_47.dll
| MD5 | cb9807f6cf55ad799e920b7e0f97df99 |
| SHA1 | bb76012ded5acd103adad49436612d073d159b29 |
| SHA256 | 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a |
| SHA512 | f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\ffmpeg.dll
| MD5 | 6418dfc9980cc0416a327961dacd41df |
| SHA1 | 2e32ab8ea0059606dfe66e978c271e0852406215 |
| SHA256 | 04bd8ee92194f076686eab2a94a119629b6d61e554782a0d4520359f1ceb24a9 |
| SHA512 | d3e98fe91bfa4f7b9363d8fbb6997f20f76a638bcb5345d9280f919a4bf13dfa02d190534d1965eccd95f2300f6b4d29b6eaec5d544e5428377d1e26daf501a1 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\resources.pak
| MD5 | 9d000106fc3192e4c3d47031cf450131 |
| SHA1 | 814c455baba7dd4d9354ed061522fc4caad3e7b4 |
| SHA256 | d0e884b68e2b79162e88b5d4a593c3bb4a7c60c5c62f4e3cc69a346727e6f7eb |
| SHA512 | b19e926fc5223375685854a0b26a04efdcd8128e44b3b56f3ed2cccb860b9069ff6e49dbae053a4287f12de6796643021a316baaf3f8505f5574171d8c6cf885 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\LICENSES.chromium.html
| MD5 | c3528648bedbde1223a2faab1a3f9af3 |
| SHA1 | 934d3c8f184258338ff380964ed89053ce69ac5b |
| SHA256 | 57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2 |
| SHA512 | 3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\libGLESv2.dll
| MD5 | ad3edee84b49923e4847119eb4d6c6b7 |
| SHA1 | 8649be26571d3fa645c416f36c1bdc0b27f1d478 |
| SHA256 | 51c9f2e9aecf5745ad343185cd39a05f581c2062d644bedcb25a5ef4b9624591 |
| SHA512 | e504996b8371f294fa8a5173da48256e9070156249bdd7431e3adeacbd99f7cf39dc3c0876c4aa11da8d1932147cfaff91764c517a70d69d8c8e4876abbeea56 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\libEGL.dll
| MD5 | 13318cb90b385fb918ba6e07f1fd8d83 |
| SHA1 | 899985a7608268893c7fc1c9810568bdd8294b81 |
| SHA256 | 53a2d4c5ae582f15aad481e75e516ddabce9b756e553bed33720a66d2c5f736d |
| SHA512 | b5418f6bd2ab883dc1ef4d9f2c0a976296d06fe1309c6db7331a3470f198505561cabd41ecd05e675b90076196b4f82e8a9ef0574cfe96869bfb24d07cc82450 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\icudtl.dat
| MD5 | 2c367970ac87a9275eeec5629bb6fc3d |
| SHA1 | 399324d1aeee5e74747a6873501a1ee5aac005ee |
| SHA256 | 17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de |
| SHA512 | f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\snapshot_blob.bin
| MD5 | ac47bd259a01da6c51f750ea210b52bf |
| SHA1 | d6682fc4a07ff2313bc8428137f533e8947692a3 |
| SHA256 | e87fb952df8e36a5461f328c37afd701f20c427810824e9541709cccb87c22b3 |
| SHA512 | 9bbd6e39597181da2cdaa0e3b4569e0a7a67b44f37be20b0bbe7cb6323501835427ce84044203c66c98b98fcf4e8e356e983be0e085f3020df93022d9c7e0135 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 4d89b46abac43cfaec5c80ab2f735e15 |
| SHA1 | 8985d96af0017b78c9b3791ea2ead72f3e32c844 |
| SHA256 | 4f69d3512c141d88a6137b08a1da04ab80d8e685bd5e9378865d6de828f0cb5a |
| SHA512 | 477a676586b066813f1d469be6891b2cbd9575528d4279fd7da34f359057ee6025f82ce31c57a9e90658d52fd2e94779bd5a8a9c3d8f2283874450f4285da3bb |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\vk_swiftshader.dll
| MD5 | 30d193f1976035cebec2c2d8f071c556 |
| SHA1 | 97b1d811743f03e888c22d975c9eb77ba92142b9 |
| SHA256 | 600e158b7d7fb95eb63552da1ae8159a6eb9bb04ff6341d11db2d10bd6c30c8e |
| SHA512 | 4eb6ec91fb060f67ea126c9c7dd7f672161d86302db41c7d999f33239a7c18062cc020c06ab9571f8023c846d22bd0fa5c020fb4c710bf6a21472002dccb6226 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\am.pak
| MD5 | 2c933f084d960f8094e24bee73fa826c |
| SHA1 | 91dfddc2cff764275872149d454a8397a1a20ab1 |
| SHA256 | fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450 |
| SHA512 | 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\bg.pak
| MD5 | 38bcabb6a0072b3a5f8b86b693eb545d |
| SHA1 | d36c8549fe0f69d05ffdaffa427d3ddf68dd6d89 |
| SHA256 | 898621731ac3471a41f8b3a7bf52e7f776e8928652b37154bc7c1299f1fd92e1 |
| SHA512 | 002adbdc17b6013becc4909daf2febb74ce88733c78e968938b792a52c9c5a62834617f606e4cb3774ae2dad9758d2b8678d7764bb6dcfe468881f1107db13ef |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\cs.pak
| MD5 | f36f1b2ff12fb87a578c36f73f5aac83 |
| SHA1 | 73f61f7b6f191468ff4d9566a0bb6eccf1069cac |
| SHA256 | 877a0a3dcb5d393365b2f775faff0d3593dd84b380a27dc72025597061a50ba7 |
| SHA512 | c61a38f937dcc90c7dd5b87d9514147b6362d339d9af85bcb3677bb12ae5715d05426f6e67ffd3b441cc41530883a227096b4135b98f2d5c73f51612e0a0e4c9 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ca.pak
| MD5 | 83f9f785483cd92a73843ed98e674f86 |
| SHA1 | 70e223dba0ecc5cf3f5fcf32278d97ff864c8024 |
| SHA256 | f7f54b55a917a0f68e4b7ed7a3e6feabb224c52d09786b939712607ebe8ab0ea |
| SHA512 | df231f6774a9568cc4b85ad18d13c31cfb4de78830c72900ebd613d580e914e85eff85330ac9aa85246a0e4949891fdfb224ac615a03fcb0ce05b989391963e8 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\bn.pak
| MD5 | 9340520696e7cb3c2495a78893e50add |
| SHA1 | eed5aeef46131e4c70cd578177c527b656d08586 |
| SHA256 | 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39 |
| SHA512 | 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ar.pak
| MD5 | 6352905a290802a05dd3a64d22216f6e |
| SHA1 | 11adb10f0678079c8f73779bb039e12329bcaac7 |
| SHA256 | 00861d9fa5763cc5c3152edb4a5c956c6bc4f56311ce2ed9e6b496181624ab5e |
| SHA512 | 0b0dbad8201ebd1a7dc2cfb11325c509efbcced3ac3d337915cf2972defe2304ea9f8af91d9362cb51333459900a80b714e7302a6483ad58fd64404f8410b6ea |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\af.pak
| MD5 | 464e5eeaba5eff8bc93995ba2cb2d73f |
| SHA1 | 3b216e0c5246c874ad0ad7d3e1636384dad2255d |
| SHA256 | 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1 |
| SHA512 | 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\vulkan-1.dll
| MD5 | 7fdd1bec727e2b389c8ca84c407446c6 |
| SHA1 | a91343d9f52883325f52f28c5dd142f4ae07b3ef |
| SHA256 | d04035c59f49444bd3cafd71296afd70bad5daa6e28bf5d7de3ffd0e36a85938 |
| SHA512 | 2fdd95185507be9bcbf6cfe1f05ba47e71203b1dc3ce4cc1553e5fcfb576ab89bf018a8927fc5e6e451b00f56f7abb5f2efd504e1a674b42dbe80deeb13d669a |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\da.pak
| MD5 | 7ff057b530184205100dbea8635a29a7 |
| SHA1 | f6e22b2e37e6d7bf0ca9bec220650f01d1a4a091 |
| SHA256 | 40b32636ffb813574d8a063ce7e74860ab06b93a9b16dd56b5b6aa602b5e6943 |
| SHA512 | 09b7b6c280d98f21beeddf1b9e5834462f29d299a64276c198ef3eab466b352695172d2ff118664c34e51a2b73e21949f203ba35b0bb6d3e031ac770e3e6b451 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\el.pak
| MD5 | e66a75680f21ce281995f37099045714 |
| SHA1 | d553e80658ee1eea5b0912db1ecc4e27b0ed4790 |
| SHA256 | 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f |
| SHA512 | d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\de.pak
| MD5 | 1b928ff4831916bbe39e4b2e08f52267 |
| SHA1 | dd8788bb4d386f7d0b8e685a09cc9ca361b7c31e |
| SHA256 | 9c335a4e85b4ac58ed386d89d284be053ef288b2706a4cae433d91625ec1b31e |
| SHA512 | 95dc4ecd45708277618a913bd07073a7cc61b642ae14fecc91ac0548898771a522a0672ee67399e5f5c8ca3006c37aa878b74af1f41717b9607c00f49e40124a |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\en-US.pak
| MD5 | 19d18f8181a4201d542c7195b1e9ff81 |
| SHA1 | 7debd3cf27bbe200c6a90b34adacb7394cb5929c |
| SHA256 | 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb |
| SHA512 | af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\en-GB.pak
| MD5 | e0c79cf2e5b790386e44b125d8e1a5fc |
| SHA1 | 1b75baf8035b81d6494f9f36930bbc8c512e1dbf |
| SHA256 | 6b0e81b2198e025eae1e2f6d5d3a33ccce034d1f4bc59e4cade1b5f5adb99f1a |
| SHA512 | e4feb64ce7edf416422127280cf87967a5e6b20436a8ed33932b1bade73f0691ac819449d38fa0d8a81b888d6319f0b3167aa16e225999dfd6e7800d2365f2a6 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\es.pak
| MD5 | e42486833449ea57261d5bbdabb8b4e2 |
| SHA1 | 09734ed71302c7a3bf5f84dee1dfab7732bc0745 |
| SHA256 | d539c88c4493cb1d9eae600611e3119fe129ec95149049f4b62fc3a97d78ca61 |
| SHA512 | 8ad283323c3f2e7a9d2e33eb86c371be6a9e29d9243e0d74d5936606692367212f81825d5c313a8859ff8de84eb6d23cbfc577ca47185392da803717f29e8b24 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\et.pak
| MD5 | 8b3cb5e4b8ac769bde84e5c375c1774e |
| SHA1 | 53665908d6ec12095abd766911d8abcc84c6da58 |
| SHA256 | c351b84558214420495bed6d882d37496483cc66b0e10400ca872e3fc4145b66 |
| SHA512 | b0dff640d32e5c277f2d3441abf823e8859f28f215cfc63fde8a968cbc9b9531aa0394e10fa98284d186323e3357ea2265d762dc034be86bb50f5c55630ab4c5 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\es-419.pak
| MD5 | a510ff6703676bacde7e528823878018 |
| SHA1 | 6551a7dac1c3fcd839b8d7c6ca92470f30a93d0d |
| SHA256 | 77114f519743741a488a9b57cdc7190f0507c37dc3b29811704a048172ba6736 |
| SHA512 | e9b75bc92eb077db57f906ef544b2339c4eb4f6eddf65d2570c36a00ab4b8a167a53e869d81150a7d097ecbf4ba19625ad4228f133392cc850352fe66fea47e0 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\fa.pak
| MD5 | e861a65f12b38a3def1fe9e933cae275 |
| SHA1 | 8d083b5902a15a63ef11c7783f12e088d333fcf5 |
| SHA256 | f9a8e3b9bbc809f11cc3dc32811940e033bd78a31ec154d28321473f8efa1e4d |
| SHA512 | d1fe91c693c794b4a4d60560800c919977654832e8f6e34fb1ec0ffbf5c411cf35b0a0e22e036dca48a246ab8d6bea0427c5ceb232d460e9c59cf4163d55314c |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\fi.pak
| MD5 | 7243727348009668ded33dd0109118c3 |
| SHA1 | aa19e2e340c8328132d12ff79d8fd6b02c512a48 |
| SHA256 | 6581fca26336f66d8ba898ec1253b237db30e7cd1a25fc788290d7ace96fa6e1 |
| SHA512 | e890346915c0891a9f49640f232f6633e25655b969911a6697adfea709cec59bb925678e0b97424936c59d523c3ee9e2dc23f115e20c45ca3ed51ae691d0d7f0 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\fr.pak
| MD5 | 3a5bb07820cf46c0f4a81a25724fe870 |
| SHA1 | dbc296c1fc516c60d453253ee341ca4d31554230 |
| SHA256 | b62c51b85545b3f5d70ac9c684a111689044636eafaeb196f5d52760e0f96f91 |
| SHA512 | 0222f7a8bf3a6f77fcb9ab7eb0d03509d15bb8634d556547ed55141d550af241a525cc99eb13957744fe2e6d4732b9dbe4d078cb3555b16af6c13e20b9f4e8a1 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\fil.pak
| MD5 | d7df2ea381f37d6c92e4f18290c6ffe0 |
| SHA1 | 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4 |
| SHA256 | db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a |
| SHA512 | 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\gu.pak
| MD5 | 9e189d21ad5843b69c352466c94cdc4c |
| SHA1 | 99af98cc510abe726b54f28488f647ea6f7d4c91 |
| SHA256 | 9c210e3143f99df59bebea6bdb6e30959f8520d59a20fffd437f7029840bb3a9 |
| SHA512 | c3007f45ec20c3c3e763f20be1a5557f548a28757cb032617c20fe7d44b7524368b75b8182de243048aa56b939b2a790b5b85cf359b009c4c20c41089e8992e8 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\hu.pak
| MD5 | 2aa0a175df21583a68176742400c6508 |
| SHA1 | 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a |
| SHA256 | b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72 |
| SHA512 | 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\id.pak
| MD5 | 366d1b2c3759d6ff9c588f53ec9a7c5b |
| SHA1 | e9d5c6e8311c6f7b7c4ad997db0cec5c11cfd754 |
| SHA256 | 0853a5543923b7a8db5989ebb8ebe8f9fb6271bfa59b94f5843f97de4401e2d8 |
| SHA512 | 879e72625fd112cec85a6489c590d7e89c65753d2beee259f7393e7377729d40bbb8cd0a2a9fcfde93d14c2cc9a97879312e60ab26035970a632e36d2f8d9e53 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\hr.pak
| MD5 | cbca0ad35cfa5c4b852cc8f556706b0b |
| SHA1 | 608d2e11a40e5e15a2840e248a249d1562ba9846 |
| SHA256 | 6ea4b1a28cf567cca73ccdb7eec631fffba3b49acc41e3c88b448514578d80da |
| SHA512 | 5b6f01c10d613f278d507d43fb0c708b32fd486d9b5a5f31a9837d0b1025da6ff85772b8f39e192cd8625d363be570565fd4eaf0f8d11c17ad6cbd956893022b |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\hi.pak
| MD5 | bc777a1010c846906d05d75d82f5dea9 |
| SHA1 | 73bbeeda37164845ca3f4f2827165b4023f8a194 |
| SHA256 | ccf7a557d0f8353ff3d656d4c2a4fca2d462ed2cc3d18c599d98f4d57b23c615 |
| SHA512 | e6a01b80adfa31fa93d48fc4f1ba9222d21b8ed7734e664e4f274843b46d826ec8863483c0e8647e39ad85988dfe0a2848d32a26ce1fdd8a0eb85e4fe64be292 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\he.pak
| MD5 | c6937badd93ff4ae6f6a2c9e31f678d5 |
| SHA1 | b3175d7bebe340ab08e0d8e85d550a076b073c55 |
| SHA256 | 3cd4440501bc67d0b2e33e1346ba133fb9a09a8762f2334732f8cc349cd840b7 |
| SHA512 | db232d7da04b4a854fd399fa04779469ec6fd0a752c4da7b2eed6d1aeaca4a096130fe326c91d777131d1a8ba32637d884e518f1522e9658d233a35e5eef9397 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ja.pak
| MD5 | e9133185d2339d0a2f68c4c739eb3615 |
| SHA1 | cfa6db85ec99bb38b734254b7d4a83d12ee5cd00 |
| SHA256 | ba2acb635671a48ed0bf8cdc6e0a0318cfb33eb74b4171c6b483b95f2a167bc5 |
| SHA512 | e89c886a601943d2089bad27ce9458f95929fd39fd2f88da0545f71e9d18a678eafc303630d0f94ab3af7c77ad19fabdb2616a2d004151232bc6ce1ae8e4c46e |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\it.pak
| MD5 | 8cde7372fc5095e581bf64fb77e04d61 |
| SHA1 | 0d30e0ae2c401a06ffb4056bab44d2b5d3970492 |
| SHA256 | d011fd39c3cbab740a7944a60a8dd48d6f76c563ea473cfd1f569c5e6fc9fa4e |
| SHA512 | 83778880ad95b39b5746d512aa116b05928f580f0c5e75b45cddcb80addb24cf079f73f65771e1d75ca18925ea6fdb86283aa060af2cd1308dee53ee728f76e8 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\kn.pak
| MD5 | fccd5d8ad5e1c774771b19dda55d9b9a |
| SHA1 | fabbaf469e4aec44342a7e6f74b837cde2203b71 |
| SHA256 | 47c77fdf73267865a025a54027865a8d67e26943264a43c6e794ccbd6eec549b |
| SHA512 | c9dc6cf0ff5a4094cc07ce4881319778a076b44651b16a220940d7a587ffaa92b6b80f7264605a3c8e6dd780e9c3d8e4d403d01cd8f94e0122ac19cd4d636aac |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ko.pak
| MD5 | 54ace51d8b687e36a66a2bfde258a550 |
| SHA1 | 1b2fe7c62e3f2c7deede2034e44980e02afa3b4d |
| SHA256 | 8d131066e2fa004e11f9128162bfc354d3254381059d6c852bf88a55859ae3e8 |
| SHA512 | 50b825a88d646a32a4d620bcdf5ce490c8dfbea628c5256a6918dc647c42385f955396ec5d3b32cfdb50153897cf303cd517bc9f62663b14def2dae42229f640 |
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\locales\lt.pak
| MD5 | 64b08ffc40a605fe74ecc24c3024ee3b |
| SHA1 | 516296e8a3114ddbf77601a11faf4326a47975ab |
| SHA256 | 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e |
| SHA512 | 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\lv.pak
| MD5 | 4468d6a6114d5a7ea3c1173ae9a8250d |
| SHA1 | ef664a6a140fb7a244bce44ff8c73250856d8061 |
| SHA256 | 0ff66161377be2fb8b2b456a64dd910d8375a2b9f1f6f22333540a77111903d6 |
| SHA512 | db4179b53cd44f297f5455a167ceccdd2a384c5296311346fa53f15ef5acab76cd166df13dbdf22b0c85a66455f22218e88c02fda2c5e2f863b9f4e7ea6e9a56 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ml.pak
| MD5 | 038b9eb34737bf472fde68b91a40f122 |
| SHA1 | 64771e91d4fdac0b909c6f446cc2f310be7d1320 |
| SHA256 | 27b7947e36a521403de094cc563d5eced1e46f98e4d6b872fd424352f798e84d |
| SHA512 | 3c96b42ab838f2ad5434e719f5906427a5fb327967d04c8498f3af4e913de833ac9cce6545fcfe0de2dc920cdf54c8b31c1d1527f609f90bcf9728d7bdbaac7d |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\mr.pak
| MD5 | 5657d67f6d21b507aab24ff62b0d4701 |
| SHA1 | b685a327c525b7e42eece306984e6d88dd803a29 |
| SHA256 | 671c3cb2a805a63a275ad608d37d0577c6a2813dd67fb6c2b70f8232323aac04 |
| SHA512 | 637c60834edc6f31c80692274af05e3f78466cd5ddb2fd7c79315b0f54939f41f25c3b30c86fd10751d032def1f99cb853c3186128a76a3a82a6989eaf14a835 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ms.pak
| MD5 | aee105366a1870b9d10f0f897e9295db |
| SHA1 | eee9d789a8eeafe593ce77a7c554f92a26a2296f |
| SHA256 | c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939 |
| SHA512 | 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\nb.pak
| MD5 | 55d5ad4eacb12824cfcd89470664c856 |
| SHA1 | f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673 |
| SHA256 | 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261 |
| SHA512 | 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\nl.pak
| MD5 | 285f965bdfd40491c0669f41a1c9e2f5 |
| SHA1 | b5c17191ab4d152c7793b6dec0a2e8f1fc298a89 |
| SHA256 | b20178135b9f21feef0315fb2f2bc574c2876385e607a539ff0ce6ae7faf707b |
| SHA512 | 03de0c35bc75fb96cc5871b5d06a49d99b92864541a3a03816c1245bef567401b260ed94b99818f81273395b1ec60a9f6cae22084ef34e01a95cc41da4fbd1b7 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\pl.pak
| MD5 | fbc79131a645b3853b4fa97c2b589a07 |
| SHA1 | 91c6d4386384efa9074956b9e811a0aac385aa4e |
| SHA256 | 0948238576efb502327af4040c1d9eb1346fbf1bdcee35cd46746b170a7ea6a7 |
| SHA512 | 0559d787bb7e4fa32a70c19cf0d1b2962d3869363904c13f345ef733f1193c73a13bad9600d7a5ffacf60b92cd97c27e27f7c4b7e143d0925fb358498c92f8cf |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\pt-BR.pak
| MD5 | 3701247a5ac607053278aea185ee6616 |
| SHA1 | 8cb40ddd4865347677f8d327792c6edb69012f76 |
| SHA256 | 7f41c3a58d08d98f21232e7c85839c9dec0053b447bb4dae867d2faadb278d45 |
| SHA512 | 637070ebc4411fb92bef5ff75eff46602db8ed59021f37f1a0d8201093f047419c558ec1af49c4dbbb4f58e7169e2f2cf04af7e1d11a57d39ab1cf036cb8497c |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\pt-PT.pak
| MD5 | e032c0d39df2b7bfc71ece3bfe694039 |
| SHA1 | 6664f303bae983a1bffcba22e9df712bb3cb59d6 |
| SHA256 | 60a5a7f03d4d54397ca04be0c89d1f67a496b72807c0bd660c076bc945b40339 |
| SHA512 | 3f12ed39848ad76411d4d84b2ccef59e2346d40c8e7ddbf6e333a2323df737d864126777fb54a15e90283ced2e7f04a7dda561fa2ebe13b30e082988b13e1406 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ru.pak
| MD5 | e582616cb61afb76688aa7669936bbff |
| SHA1 | cd2e894a59238ce90be527156243546b4a3fc53e |
| SHA256 | e4edec80c9e29357bcf31eda5d8b046c6c9fbc6434a0b5594b6a906d5f1407d1 |
| SHA512 | a5346390b6ec966d75839fb84e8d7284db55065b1a032ecd869a06555cdf116caaad73f9b059c92c17d5a5fb310a41c5f3b2461eee531b231adacb1b3d3d6cec |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ro.pak
| MD5 | d8b831a4896af7c78c534f1e8676ae37 |
| SHA1 | 175da19445b975b24a1e7bc8ffafa93d456ed10c |
| SHA256 | 3a58f2275ea6a2baa68924b1dab6b0f06abf8b6657a878dea94b0060a95e38f0 |
| SHA512 | e7e75dc7f92eb28759b567ec395f2a951c0e71284c75b9e2c4efd92209dda5767d51d51cdf591d04baddcfe88fbc2c8e6851a904d631b69bd801b9568767d948 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\sk.pak
| MD5 | 07498676ad49df5cb1a14d91e2fc2353 |
| SHA1 | da344ebcc2ed566b45668c8ff5b950cb921af71f |
| SHA256 | b7ba1d08ac8498ea6a37186a51b30d6d0db17136ac734982af4dab97f4a6cd9a |
| SHA512 | 548dd27e98700681941ac13e6cf90a70c66520f70df51c75ecfbb32391805ee536a34f3e90400c1cfb34b750c9415378e1a75233db614c94a057da64d3369d91 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\sl.pak
| MD5 | 83ef046784c1b113e827cb744bcb8656 |
| SHA1 | f6f3e0e975e7d3ca8e06f1988cb8a1c182eea734 |
| SHA256 | ab2079923e2baa27c220df2f1559af8edc785f8e9fe2e12c8ecb0e0e7e7d0a09 |
| SHA512 | f62f7e1eee91f5d42d591abbc7cb0fdf639834090824e7ab7f4dffb1e6c108c540074fdbadd5e153caecdb37b722ed9f737f13cbab387685013781949b9ee321 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\vi.pak
| MD5 | ebb5db1dbb64895b1a25120d5ac9b5e4 |
| SHA1 | 810fa53a97fe42994f8a68698d582651d69cfd51 |
| SHA256 | ef3ddadb90dc73b73e25e9608626ce68d6778445812b8bd2f6c81e1f1e4bff16 |
| SHA512 | fba594183c7b672204330ca698f1e195026fc51d4e05db2c49e58a896c3b5e11e23286be0d6ffae3ec321e6c08322544df3c876dbce3c2e69a951985a84a2c91 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\zh-TW.pak
| MD5 | c651e23053764c38a4e8a7f34317f19b |
| SHA1 | 93cd303c91024748d283c3779f11402cfb4f5c0b |
| SHA256 | 9689ba3f2dc7248a3ab5db3b97d473e29464afbc7f2d1c7035f7e8e9a1c05aa4 |
| SHA512 | 1b7951fc4dcc2c08811dd3449fe2ce1302286b3eca21675adefa25a806ae7dcf91c565a111032fc5fda4dd9f5231875f0c77cdfd22ecc7d435450080d853a503 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\zh-CN.pak
| MD5 | 0d5b72258b56c584113a022e16777387 |
| SHA1 | 77f91e8c36befb818229ef8fef068e97f60ecf0f |
| SHA256 | 539f0bfdb461bf777aab14a4baaf47c8c32ae1856cc4ac93b23ce73dc50ba02a |
| SHA512 | 632c4ca60529c717fb2ba700d8f12017d097e67045639e2c30144a0372cecf595a2727d3505f019b91e8a15fe3259f2727bfb24e970dea8080a11e1a3dfa2068 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ur.pak
| MD5 | 1ca4fa13bd0089d65da7cd2376feb4c6 |
| SHA1 | b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c |
| SHA256 | 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f |
| SHA512 | d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\uk.pak
| MD5 | 88d51b6df9f3cec54eda732dcf2c63fa |
| SHA1 | a826200f112d5c69f1aa5837bc40d4c423515029 |
| SHA256 | e914b8956745a14d9d64f12698805e0910f9d3581dd380468949b54576fad2a6 |
| SHA512 | 3ed8f2090497597d4e2583901993331de19f9dc787ea886dabdaf22a79aefa2956e63501c9a50be34fabf7287b6751f50d9a5105e4f16a579961ebc0d6eff14e |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\tr.pak
| MD5 | 1525dd38ca529c56f9d3e08293385690 |
| SHA1 | e0dfb9d60a3469d701dcb9ead8f8cd2cfe6fd604 |
| SHA256 | 5a7e1c8b572f67ed40e9d5107ddd6f8791b03138bb9933cfb26f1678b2c4a9cd |
| SHA512 | 195ffc165e45a51c12b03252759c5e1ff684e57b5994aeca608d40ef6799f29812add6fb2479e8e8c1655799f4dbf29e47272324b857b9161ad43a1b271eddfd |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\th.pak
| MD5 | f9ff2275865f2cdebb9b0d19d4fb57a1 |
| SHA1 | e83c6c8e0005bf34771af3f1c0c9d8ebaa822f95 |
| SHA256 | 3d4556bc0f26b89d090a8a779a8fda8f6fbe157a23181cbfb1d6c67a6212b864 |
| SHA512 | 96f596bb564e62bbafe62774fba1cefa644feff47a331e54cd7dc9b85b29f2a2e8e785e85d90cccc27f9a1c735b0a8c6dbe01fa244601f1359194f64a49ee6d0 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\te.pak
| MD5 | 41e49a1ef6850d90e0cbdc720c45ea5a |
| SHA1 | a2fbe1585a1b653ac6acccaf6184ae2de3e007af |
| SHA256 | aa2b9d1ad8591e91872c3fee62b111b74d6e7e890a47d0bcc388947ae5245290 |
| SHA512 | 687ff66471248104f8780f142e1810ccc7275857e4bd188447d01cecbe74ebac4070ab135d4a7111bc5f4ae17247dd865f21a2d3e73031534dac1f5117bc4570 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\ta.pak
| MD5 | 292f763cb8eb588659eb7cc25cf57d2e |
| SHA1 | dc42622f272843cb3afce9968146b85a98485237 |
| SHA256 | d5bfe0699342b8bba6c4c73c115b1c7f3f903c4ed95d77461c34369f2f60d5ee |
| SHA512 | 100ec32914f0d140baa414180cb2ba34e95f75ab73a0c036d6d5ebb64cc69b2b7c62b9e3f9de192bab8ddac3b387b953bed2ca1fd3bf0aab0198b9c1f2911151 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\sw.pak
| MD5 | 67a443a5c2eaad32625edb5f8deb7852 |
| SHA1 | a6137841e8e7736c5ede1d0dc0ce3a44dc41013f |
| SHA256 | 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd |
| SHA512 | e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\sr.pak
| MD5 | c68c235d8e696c098cf66191e648196b |
| SHA1 | 5c967fbbd90403a755d6c4b2411e359884dc8317 |
| SHA256 | ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b |
| SHA512 | 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\locales\sv.pak
| MD5 | 251682c6f4238bef8ab5471870a5454b |
| SHA1 | 2bf36466446abe39d487c61898d335901bbb09b0 |
| SHA256 | e1cbce672de3ba3a01272b9b763dcfd8229fba0883df2b4117ac6b0f9916c073 |
| SHA512 | de1e507b24e71f60c298253aacff49724b6a8c6336455d8dfcc6e939e53ed5e7a95dc5574e66a7fae38b6666446ac9cd83e5ad1b794b4ffa38d06052663c1f45 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nso514D.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\ba4a71d1-ef69-40ed-88e5-02a35d12c361.tmp.node
| MD5 | aa8da32ebca307d4f99cf2da290afd22 |
| SHA1 | 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899 |
| SHA256 | ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db |
| SHA512 | d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7 |
C:\Users\Admin\AppData\Local\Temp\11d604c6-a732-41dc-8404-e950e1c85699.tmp.node
| MD5 | 04bfbfec8db966420fe4c7b85ebb506a |
| SHA1 | 939bb742a354a92e1dcd3661a62d69e48030a335 |
| SHA256 | da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd |
| SHA512 | 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tsgitnyh.qgn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2264-571-0x000002CA633A0000-0x000002CA633C2000-memory.dmp
memory/2264-572-0x000002CA637C0000-0x000002CA63810000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f8ef71de8a058589f023601625143604 |
| SHA1 | f4e88e4477a2322b29211a2f44b412b4a874d251 |
| SHA256 | 1979cebd3a675d08c1b15f72a30351577556c0772754d69c7a8e8624b88d101b |
| SHA512 | 669120c84787bbf1a56da47151fed90e171f14aa1339de29d8c24a6d1970be1b3f6d3626c5024d741a1c8fb90b0308af01bfd196990670f10be5416d803d9355 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7be26a232f2a7512b4bb4d7c3ac78b3 |
| SHA1 | e1bbdbee2da176c587dbff6a34ad0bf1bd9dd70a |
| SHA256 | ca4833bbf5cb7f7f1b11f8a19e2587ce559defbf19d3d3a5d508066dedb702db |
| SHA512 | bb0076266579882591b12d6d6c6c21f7e40915008520d41b2b1f7ee7dda9dbd4454594bef620b0a5704f2b68b89b24ab1469fb77309b49c1e71bc808abb396be |
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\xx_lol\Browser.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/4532-606-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-608-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-607-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-614-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-618-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-617-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-616-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-615-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-613-0x000001401D430000-0x000001401D431000-memory.dmp
memory/4532-612-0x000001401D430000-0x000001401D431000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-11 06:18
Reported
2024-06-11 06:23
Platform
win10v2004-20240426-en
Max time kernel
62s
Max time network
65s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 460 wrote to memory of 1344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 460 wrote to memory of 1344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 460 wrote to memory of 1344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1344 -ip 1344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |