Malware Analysis Report

2024-11-30 06:01

Sample ID 240613-cfdk1azhkb
Target Vanta-Loader.exe
SHA256 fe3e8b0fb23d7889d8e1cf58ddec37d255393ccfb6017f27032604e53aa1b3c8
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fe3e8b0fb23d7889d8e1cf58ddec37d255393ccfb6017f27032604e53aa1b3c8

Threat Level: Shows suspicious behavior

The file Vanta-Loader.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Legitimate hosting services abused for malware hosting/C2

An obfuscated cmd.exe command-line is typically used to evade detection.

Unsigned PE

Program crash

Enumerates physical storage devices

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

87s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

149s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 4308 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:05

Platform

win11-20240508-en

Max time kernel

127s

Max time network

142s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\de.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\de.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

140s

Max time network

158s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\en-GB.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\en-GB.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

126s

Max time network

147s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fil.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fil.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240419-en

Max time kernel

124s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

89s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 468

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

149s

Max time network

159s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

87s

Max time network

101s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\en-US.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\en-US.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
NL 52.111.243.29:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240419-en

Max time kernel

140s

Max time network

163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

86s

Max time network

98s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

87s

Max time network

98s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\et.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\et.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

151s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 940 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 940 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2904 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 940 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 940 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
PID 940 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1828,i,1340217184836135925,12216280741845008325,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2028 --field-trial-handle=1828,i,1340217184836135925,12216280741845008325,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,65,25,200,6,171,163,71,189,215,230,101,88,154,217,146,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,198,182,24,250,108,21,253,21,222,158,198,220,20,220,251,104,58,74,38,184,12,92,171,8,223,12,123,23,63,159,135,109,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,240,242,219,218,239,77,97,162,76,24,83,139,213,113,126,161,149,193,20,1,88,193,165,73,159,54,146,160,175,231,99,174,48,0,0,0,230,100,231,112,18,238,102,145,69,226,26,139,253,127,81,235,160,81,42,71,125,158,198,49,137,62,230,132,7,107,127,192,75,41,218,120,154,11,122,7,229,180,208,146,197,231,143,26,64,0,0,0,68,198,247,104,35,222,11,172,153,104,11,33,254,192,216,45,254,124,90,47,216,120,98,161,68,197,224,131,137,252,152,112,9,63,129,246,95,41,15,153,173,59,228,29,101,64,222,61,230,204,29,49,229,237,60,231,183,100,160,182,230,48,145,236), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,65,25,200,6,171,163,71,189,215,230,101,88,154,217,146,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,198,182,24,250,108,21,253,21,222,158,198,220,20,220,251,104,58,74,38,184,12,92,171,8,223,12,123,23,63,159,135,109,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,240,242,219,218,239,77,97,162,76,24,83,139,213,113,126,161,149,193,20,1,88,193,165,73,159,54,146,160,175,231,99,174,48,0,0,0,230,100,231,112,18,238,102,145,69,226,26,139,253,127,81,235,160,81,42,71,125,158,198,49,137,62,230,132,7,107,127,192,75,41,218,120,154,11,122,7,229,180,208,146,197,231,143,26,64,0,0,0,68,198,247,104,35,222,11,172,153,104,11,33,254,192,216,45,254,124,90,47,216,120,98,161,68,197,224,131,137,252,152,112,9,63,129,246,95,41,15,153,173,59,228,29,101,64,222,61,230,204,29,49,229,237,60,231,183,100,160,182,230,48,145,236), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,65,25,200,6,171,163,71,189,215,230,101,88,154,217,146,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,146,45,164,151,1,68,153,111,78,190,135,88,178,207,184,45,202,134,99,66,178,89,185,160,133,228,207,57,63,75,68,173,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,26,152,254,139,197,64,242,25,115,254,179,78,102,185,236,218,233,23,214,205,57,172,72,22,194,246,254,68,65,101,37,48,0,0,0,121,163,137,78,181,250,59,152,249,81,216,155,122,56,178,157,235,32,93,223,160,59,250,160,99,12,44,63,142,209,67,193,100,71,209,46,1,238,73,26,153,129,83,216,214,27,143,140,64,0,0,0,25,105,35,50,57,213,250,45,161,229,18,117,220,66,205,207,50,182,44,52,255,233,86,211,12,166,38,41,149,48,108,33,108,3,224,173,15,237,70,196,10,35,251,91,241,36,84,184,182,220,111,233,81,120,139,205,210,69,53,145,38,189,195,89), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,65,25,200,6,171,163,71,189,215,230,101,88,154,217,146,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,146,45,164,151,1,68,153,111,78,190,135,88,178,207,184,45,202,134,99,66,178,89,185,160,133,228,207,57,63,75,68,173,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,26,152,254,139,197,64,242,25,115,254,179,78,102,185,236,218,233,23,214,205,57,172,72,22,194,246,254,68,65,101,37,48,0,0,0,121,163,137,78,181,250,59,152,249,81,216,155,122,56,178,157,235,32,93,223,160,59,250,160,99,12,44,63,142,209,67,193,100,71,209,46,1,238,73,26,153,129,83,216,214,27,143,140,64,0,0,0,25,105,35,50,57,213,250,45,161,229,18,117,220,66,205,207,50,182,44,52,255,233,86,211,12,166,38,41,149,48,108,33,108,3,224,173,15,237,70,196,10,35,251,91,241,36,84,184,182,220,111,233,81,120,139,205,210,69,53,145,38,189,195,89), $null, 'CurrentUser')

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2472 --field-trial-handle=1828,i,1340217184836135925,12216280741845008325,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 store8.gofile.io udp
US 206.168.191.31:443 store8.gofile.io tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
FR 51.178.66.33:443 api.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 162.159.137.232:443 discord.com tcp
FR 31.14.70.252:443 store10.gofile.io tcp
FR 51.178.66.33:443 api.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 245.70.14.31.in-addr.arpa udp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 162.159.137.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7028451f-edfa-4156-818c-df812df8fb38.tmp.node

MD5 aa8da32ebca307d4f99cf2da290afd22
SHA1 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256 ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512 d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

C:\Users\Admin\AppData\Local\Temp\222a3b85-47f2-45f0-8f84-6951b0ea8cfd.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wxsgibfb.nyc.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4500-16-0x000001B07F910000-0x000001B07F932000-memory.dmp

memory/4500-20-0x000001B07FD40000-0x000001B07FD90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f69f145ee494b2d67c5d50108c862d4a
SHA1 68f36b9bd553beb2a7eec5f4a8fef317703c77e1
SHA256 06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7
SHA512 302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 df739ecbffb92fdaa51ac0793434acaf
SHA1 fdbb8742670c2db6b00d45ce5bd8c19bf17536ac
SHA256 eaa1143dd26a969e19beb89528d057f6af4d344fe540820b81f1036b2c0fcbfc
SHA512 5a8ea65354e14fbf9011bb0e4cc1625bc245acc3fd893970cf0f64f1625d4c182518fbf679365ce9dfbdbbecf1b48e9004010da6ea4b5fce098532f1fb39daf7

C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

MD5 2b761fe533bc9f2d8eca41b77bd56599
SHA1 2032e8abbe478db822560dd67ed70f87f04b28d7
SHA256 3fa088555c8082587cf8f8f1a1bb92926ad6cd297b7082346364d3f1b0409663
SHA512 94a7062240d112836266fc77e2884fea3e2034fca9ad6613083c1cfe3e24f77baad259ee09b8c3c614d3684911fdcd9dc83517dd175f0979d2770521eb06fd36

C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

MD5 cfd2a5ad79633beaf1737a3b9684aed6
SHA1 f0347200dfec18e24518d30dfc97820614aa73d6
SHA256 ed13c6362986d058e0cce9c7458e89c44445880c6160f5a188e73d59c1c9acb4
SHA512 b707e540679e87cfbfa4118245fbc987767ef33670e06cb60953afe669d398dedea7679e266010d1d42e4f1b36c84c9d17892fa6744972de7fbd4a0a9bef3c57

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\webdata.db

MD5 44b8968160e811f5c8a611da10b4318f
SHA1 1e8253f96d24d3c912bc6b0a7bab3ca4083a133b
SHA256 0d91bba8f093e2e3f51afb1a9e150c2c320a44106e06cbe72c83809211703444
SHA512 c14263aad4e132d6a9f984fe8daa8fadbe62804690041fe3a88c00b6f540fa3df559d46506c5c3310231e4a29b17d8dbc83640192f93946c33794e646ffdb40a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

memory/1820-102-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-104-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-103-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-109-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-114-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-113-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-112-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-111-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-110-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

memory/1820-108-0x000001D6E4860000-0x000001D6E4861000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

141s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.19:443 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

83s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

140s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

143s

Max time network

158s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

141s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

24s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fi.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fi.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

140s

Max time network

161s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fr.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fr.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.229.19:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

132s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 1480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1356 wrote to memory of 1480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1356 wrote to memory of 1480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 460

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

123s

Max time network

144s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

109s

Max time network

130s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

141s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\es-419.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\es-419.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240508-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 4372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1360 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1360 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1848 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1652 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3280 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1652 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
PID 1652 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe"

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1816,i,18007302280071036167,2876125629520911356,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2028 --field-trial-handle=1816,i,18007302280071036167,2876125629520911356,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,156,145,177,22,49,87,182,246,181,239,136,151,196,194,222,150,156,83,117,13,197,27,239,204,239,4,239,124,182,130,186,59,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,70,119,208,213,67,152,61,239,184,191,77,72,18,165,228,117,148,72,4,73,222,1,177,125,201,26,198,36,143,215,63,48,0,0,0,234,75,24,187,54,18,74,138,222,45,103,111,194,148,182,185,193,201,14,160,45,72,22,66,207,12,223,36,170,254,248,29,130,76,62,60,194,135,72,135,123,188,161,161,230,199,157,59,64,0,0,0,96,23,145,250,147,31,1,128,61,138,215,90,139,172,122,33,156,152,240,61,210,151,12,32,118,17,130,25,142,234,25,177,44,180,238,127,225,24,209,92,91,129,162,84,33,154,45,4,63,167,227,152,143,48,38,72,34,11,254,65,42,233,205,152), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,156,145,177,22,49,87,182,246,181,239,136,151,196,194,222,150,156,83,117,13,197,27,239,204,239,4,239,124,182,130,186,59,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,70,119,208,213,67,152,61,239,184,191,77,72,18,165,228,117,148,72,4,73,222,1,177,125,201,26,198,36,143,215,63,48,0,0,0,234,75,24,187,54,18,74,138,222,45,103,111,194,148,182,185,193,201,14,160,45,72,22,66,207,12,223,36,170,254,248,29,130,76,62,60,194,135,72,135,123,188,161,161,230,199,157,59,64,0,0,0,96,23,145,250,147,31,1,128,61,138,215,90,139,172,122,33,156,152,240,61,210,151,12,32,118,17,130,25,142,234,25,177,44,180,238,127,225,24,209,92,91,129,162,84,33,154,45,4,63,167,227,152,143,48,38,72,34,11,254,65,42,233,205,152), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,228,10,115,103,22,183,210,38,40,50,13,146,95,130,70,82,117,210,39,116,255,113,254,200,204,180,155,254,218,120,238,92,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,14,211,90,143,79,233,109,49,253,39,186,10,211,190,41,141,28,209,159,136,34,170,181,204,135,232,48,84,233,38,237,148,48,0,0,0,4,116,76,23,118,185,38,240,36,181,38,222,22,198,80,248,253,57,90,197,154,222,5,91,192,208,90,235,183,154,85,142,157,163,92,175,82,247,64,11,135,116,153,33,127,226,24,116,64,0,0,0,218,205,69,72,34,222,225,189,121,165,103,7,73,192,7,120,240,245,68,200,29,84,225,60,12,33,248,33,247,195,91,195,136,46,221,183,208,234,58,247,1,219,195,58,69,188,121,59,114,40,186,129,248,81,86,56,241,79,159,219,41,32,41,19), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,228,10,115,103,22,183,210,38,40,50,13,146,95,130,70,82,117,210,39,116,255,113,254,200,204,180,155,254,218,120,238,92,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,14,211,90,143,79,233,109,49,253,39,186,10,211,190,41,141,28,209,159,136,34,170,181,204,135,232,48,84,233,38,237,148,48,0,0,0,4,116,76,23,118,185,38,240,36,181,38,222,22,198,80,248,253,57,90,197,154,222,5,91,192,208,90,235,183,154,85,142,157,163,92,175,82,247,64,11,135,116,153,33,127,226,24,116,64,0,0,0,218,205,69,72,34,222,225,189,121,165,103,7,73,192,7,120,240,245,68,200,29,84,225,60,12,33,248,33,247,195,91,195,136,46,221,183,208,234,58,247,1,219,195,58,69,188,121,59,114,40,186,129,248,81,86,56,241,79,159,219,41,32,41,19), $null, 'CurrentUser')

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe

"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1816,i,18007302280071036167,2876125629520911356,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp

Files

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\chrome_100_percent.pak

MD5 8626e1d68e87f86c5b4dabdf66591913
SHA1 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c
SHA256 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59
SHA512 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\chrome_200_percent.pak

MD5 48515d600258d60019c6b9c6421f79f6
SHA1 0ef0b44641d38327a360aa6954b3b6e5aab2af16
SHA256 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce
SHA512 b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\ffmpeg.dll

MD5 6418dfc9980cc0416a327961dacd41df
SHA1 2e32ab8ea0059606dfe66e978c271e0852406215
SHA256 04bd8ee92194f076686eab2a94a119629b6d61e554782a0d4520359f1ceb24a9
SHA512 d3e98fe91bfa4f7b9363d8fbb6997f20f76a638bcb5345d9280f919a4bf13dfa02d190534d1965eccd95f2300f6b4d29b6eaec5d544e5428377d1e26daf501a1

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\libGLESv2.dll

MD5 ad3edee84b49923e4847119eb4d6c6b7
SHA1 8649be26571d3fa645c416f36c1bdc0b27f1d478
SHA256 51c9f2e9aecf5745ad343185cd39a05f581c2062d644bedcb25a5ef4b9624591
SHA512 e504996b8371f294fa8a5173da48256e9070156249bdd7431e3adeacbd99f7cf39dc3c0876c4aa11da8d1932147cfaff91764c517a70d69d8c8e4876abbeea56

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\libEGL.dll

MD5 13318cb90b385fb918ba6e07f1fd8d83
SHA1 899985a7608268893c7fc1c9810568bdd8294b81
SHA256 53a2d4c5ae582f15aad481e75e516ddabce9b756e553bed33720a66d2c5f736d
SHA512 b5418f6bd2ab883dc1ef4d9f2c0a976296d06fe1309c6db7331a3470f198505561cabd41ecd05e675b90076196b4f82e8a9ef0574cfe96869bfb24d07cc82450

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\icudtl.dat

MD5 2c367970ac87a9275eeec5629bb6fc3d
SHA1 399324d1aeee5e74747a6873501a1ee5aac005ee
SHA256 17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de
SHA512 f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\LICENSES.chromium.html

MD5 c3528648bedbde1223a2faab1a3f9af3
SHA1 934d3c8f184258338ff380964ed89053ce69ac5b
SHA256 57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2
SHA512 3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\resources.pak

MD5 9d000106fc3192e4c3d47031cf450131
SHA1 814c455baba7dd4d9354ed061522fc4caad3e7b4
SHA256 d0e884b68e2b79162e88b5d4a593c3bb4a7c60c5c62f4e3cc69a346727e6f7eb
SHA512 b19e926fc5223375685854a0b26a04efdcd8128e44b3b56f3ed2cccb860b9069ff6e49dbae053a4287f12de6796643021a316baaf3f8505f5574171d8c6cf885

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\v8_context_snapshot.bin

MD5 4d89b46abac43cfaec5c80ab2f735e15
SHA1 8985d96af0017b78c9b3791ea2ead72f3e32c844
SHA256 4f69d3512c141d88a6137b08a1da04ab80d8e685bd5e9378865d6de828f0cb5a
SHA512 477a676586b066813f1d469be6891b2cbd9575528d4279fd7da34f359057ee6025f82ce31c57a9e90658d52fd2e94779bd5a8a9c3d8f2283874450f4285da3bb

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\snapshot_blob.bin

MD5 ac47bd259a01da6c51f750ea210b52bf
SHA1 d6682fc4a07ff2313bc8428137f533e8947692a3
SHA256 e87fb952df8e36a5461f328c37afd701f20c427810824e9541709cccb87c22b3
SHA512 9bbd6e39597181da2cdaa0e3b4569e0a7a67b44f37be20b0bbe7cb6323501835427ce84044203c66c98b98fcf4e8e356e983be0e085f3020df93022d9c7e0135

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\vk_swiftshader.dll

MD5 30d193f1976035cebec2c2d8f071c556
SHA1 97b1d811743f03e888c22d975c9eb77ba92142b9
SHA256 600e158b7d7fb95eb63552da1ae8159a6eb9bb04ff6341d11db2d10bd6c30c8e
SHA512 4eb6ec91fb060f67ea126c9c7dd7f672161d86302db41c7d999f33239a7c18062cc020c06ab9571f8023c846d22bd0fa5c020fb4c710bf6a21472002dccb6226

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\vulkan-1.dll

MD5 7fdd1bec727e2b389c8ca84c407446c6
SHA1 a91343d9f52883325f52f28c5dd142f4ae07b3ef
SHA256 d04035c59f49444bd3cafd71296afd70bad5daa6e28bf5d7de3ffd0e36a85938
SHA512 2fdd95185507be9bcbf6cfe1f05ba47e71203b1dc3ce4cc1553e5fcfb576ab89bf018a8927fc5e6e451b00f56f7abb5f2efd504e1a674b42dbe80deeb13d669a

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\af.pak

MD5 464e5eeaba5eff8bc93995ba2cb2d73f
SHA1 3b216e0c5246c874ad0ad7d3e1636384dad2255d
SHA256 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1
SHA512 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\am.pak

MD5 2c933f084d960f8094e24bee73fa826c
SHA1 91dfddc2cff764275872149d454a8397a1a20ab1
SHA256 fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450
SHA512 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ar.pak

MD5 6352905a290802a05dd3a64d22216f6e
SHA1 11adb10f0678079c8f73779bb039e12329bcaac7
SHA256 00861d9fa5763cc5c3152edb4a5c956c6bc4f56311ce2ed9e6b496181624ab5e
SHA512 0b0dbad8201ebd1a7dc2cfb11325c509efbcced3ac3d337915cf2972defe2304ea9f8af91d9362cb51333459900a80b714e7302a6483ad58fd64404f8410b6ea

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\bn.pak

MD5 9340520696e7cb3c2495a78893e50add
SHA1 eed5aeef46131e4c70cd578177c527b656d08586
SHA256 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39
SHA512 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ca.pak

MD5 83f9f785483cd92a73843ed98e674f86
SHA1 70e223dba0ecc5cf3f5fcf32278d97ff864c8024
SHA256 f7f54b55a917a0f68e4b7ed7a3e6feabb224c52d09786b939712607ebe8ab0ea
SHA512 df231f6774a9568cc4b85ad18d13c31cfb4de78830c72900ebd613d580e914e85eff85330ac9aa85246a0e4949891fdfb224ac615a03fcb0ce05b989391963e8

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\bg.pak

MD5 38bcabb6a0072b3a5f8b86b693eb545d
SHA1 d36c8549fe0f69d05ffdaffa427d3ddf68dd6d89
SHA256 898621731ac3471a41f8b3a7bf52e7f776e8928652b37154bc7c1299f1fd92e1
SHA512 002adbdc17b6013becc4909daf2febb74ce88733c78e968938b792a52c9c5a62834617f606e4cb3774ae2dad9758d2b8678d7764bb6dcfe468881f1107db13ef

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\cs.pak

MD5 f36f1b2ff12fb87a578c36f73f5aac83
SHA1 73f61f7b6f191468ff4d9566a0bb6eccf1069cac
SHA256 877a0a3dcb5d393365b2f775faff0d3593dd84b380a27dc72025597061a50ba7
SHA512 c61a38f937dcc90c7dd5b87d9514147b6362d339d9af85bcb3677bb12ae5715d05426f6e67ffd3b441cc41530883a227096b4135b98f2d5c73f51612e0a0e4c9

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\da.pak

MD5 7ff057b530184205100dbea8635a29a7
SHA1 f6e22b2e37e6d7bf0ca9bec220650f01d1a4a091
SHA256 40b32636ffb813574d8a063ce7e74860ab06b93a9b16dd56b5b6aa602b5e6943
SHA512 09b7b6c280d98f21beeddf1b9e5834462f29d299a64276c198ef3eab466b352695172d2ff118664c34e51a2b73e21949f203ba35b0bb6d3e031ac770e3e6b451

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\en-GB.pak

MD5 e0c79cf2e5b790386e44b125d8e1a5fc
SHA1 1b75baf8035b81d6494f9f36930bbc8c512e1dbf
SHA256 6b0e81b2198e025eae1e2f6d5d3a33ccce034d1f4bc59e4cade1b5f5adb99f1a
SHA512 e4feb64ce7edf416422127280cf87967a5e6b20436a8ed33932b1bade73f0691ac819449d38fa0d8a81b888d6319f0b3167aa16e225999dfd6e7800d2365f2a6

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\en-US.pak

MD5 19d18f8181a4201d542c7195b1e9ff81
SHA1 7debd3cf27bbe200c6a90b34adacb7394cb5929c
SHA256 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb
SHA512 af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\el.pak

MD5 e66a75680f21ce281995f37099045714
SHA1 d553e80658ee1eea5b0912db1ecc4e27b0ed4790
SHA256 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f
SHA512 d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\de.pak

MD5 1b928ff4831916bbe39e4b2e08f52267
SHA1 dd8788bb4d386f7d0b8e685a09cc9ca361b7c31e
SHA256 9c335a4e85b4ac58ed386d89d284be053ef288b2706a4cae433d91625ec1b31e
SHA512 95dc4ecd45708277618a913bd07073a7cc61b642ae14fecc91ac0548898771a522a0672ee67399e5f5c8ca3006c37aa878b74af1f41717b9607c00f49e40124a

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\fr.pak

MD5 3a5bb07820cf46c0f4a81a25724fe870
SHA1 dbc296c1fc516c60d453253ee341ca4d31554230
SHA256 b62c51b85545b3f5d70ac9c684a111689044636eafaeb196f5d52760e0f96f91
SHA512 0222f7a8bf3a6f77fcb9ab7eb0d03509d15bb8634d556547ed55141d550af241a525cc99eb13957744fe2e6d4732b9dbe4d078cb3555b16af6c13e20b9f4e8a1

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\lt.pak

MD5 64b08ffc40a605fe74ecc24c3024ee3b
SHA1 516296e8a3114ddbf77601a11faf4326a47975ab
SHA256 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e
SHA512 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\nl.pak

MD5 285f965bdfd40491c0669f41a1c9e2f5
SHA1 b5c17191ab4d152c7793b6dec0a2e8f1fc298a89
SHA256 b20178135b9f21feef0315fb2f2bc574c2876385e607a539ff0ce6ae7faf707b
SHA512 03de0c35bc75fb96cc5871b5d06a49d99b92864541a3a03816c1245bef567401b260ed94b99818f81273395b1ec60a9f6cae22084ef34e01a95cc41da4fbd1b7

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\nb.pak

MD5 55d5ad4eacb12824cfcd89470664c856
SHA1 f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673
SHA256 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261
SHA512 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ms.pak

MD5 aee105366a1870b9d10f0f897e9295db
SHA1 eee9d789a8eeafe593ce77a7c554f92a26a2296f
SHA256 c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939
SHA512 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\mr.pak

MD5 5657d67f6d21b507aab24ff62b0d4701
SHA1 b685a327c525b7e42eece306984e6d88dd803a29
SHA256 671c3cb2a805a63a275ad608d37d0577c6a2813dd67fb6c2b70f8232323aac04
SHA512 637c60834edc6f31c80692274af05e3f78466cd5ddb2fd7c79315b0f54939f41f25c3b30c86fd10751d032def1f99cb853c3186128a76a3a82a6989eaf14a835

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sw.pak

MD5 67a443a5c2eaad32625edb5f8deb7852
SHA1 a6137841e8e7736c5ede1d0dc0ce3a44dc41013f
SHA256 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd
SHA512 e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sv.pak

MD5 251682c6f4238bef8ab5471870a5454b
SHA1 2bf36466446abe39d487c61898d335901bbb09b0
SHA256 e1cbce672de3ba3a01272b9b763dcfd8229fba0883df2b4117ac6b0f9916c073
SHA512 de1e507b24e71f60c298253aacff49724b6a8c6336455d8dfcc6e939e53ed5e7a95dc5574e66a7fae38b6666446ac9cd83e5ad1b794b4ffa38d06052663c1f45

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sr.pak

MD5 c68c235d8e696c098cf66191e648196b
SHA1 5c967fbbd90403a755d6c4b2411e359884dc8317
SHA256 ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b
SHA512 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sl.pak

MD5 83ef046784c1b113e827cb744bcb8656
SHA1 f6f3e0e975e7d3ca8e06f1988cb8a1c182eea734
SHA256 ab2079923e2baa27c220df2f1559af8edc785f8e9fe2e12c8ecb0e0e7e7d0a09
SHA512 f62f7e1eee91f5d42d591abbc7cb0fdf639834090824e7ab7f4dffb1e6c108c540074fdbadd5e153caecdb37b722ed9f737f13cbab387685013781949b9ee321

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sk.pak

MD5 07498676ad49df5cb1a14d91e2fc2353
SHA1 da344ebcc2ed566b45668c8ff5b950cb921af71f
SHA256 b7ba1d08ac8498ea6a37186a51b30d6d0db17136ac734982af4dab97f4a6cd9a
SHA512 548dd27e98700681941ac13e6cf90a70c66520f70df51c75ecfbb32391805ee536a34f3e90400c1cfb34b750c9415378e1a75233db614c94a057da64d3369d91

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ru.pak

MD5 e582616cb61afb76688aa7669936bbff
SHA1 cd2e894a59238ce90be527156243546b4a3fc53e
SHA256 e4edec80c9e29357bcf31eda5d8b046c6c9fbc6434a0b5594b6a906d5f1407d1
SHA512 a5346390b6ec966d75839fb84e8d7284db55065b1a032ecd869a06555cdf116caaad73f9b059c92c17d5a5fb310a41c5f3b2461eee531b231adacb1b3d3d6cec

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ro.pak

MD5 d8b831a4896af7c78c534f1e8676ae37
SHA1 175da19445b975b24a1e7bc8ffafa93d456ed10c
SHA256 3a58f2275ea6a2baa68924b1dab6b0f06abf8b6657a878dea94b0060a95e38f0
SHA512 e7e75dc7f92eb28759b567ec395f2a951c0e71284c75b9e2c4efd92209dda5767d51d51cdf591d04baddcfe88fbc2c8e6851a904d631b69bd801b9568767d948

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\pt-PT.pak

MD5 e032c0d39df2b7bfc71ece3bfe694039
SHA1 6664f303bae983a1bffcba22e9df712bb3cb59d6
SHA256 60a5a7f03d4d54397ca04be0c89d1f67a496b72807c0bd660c076bc945b40339
SHA512 3f12ed39848ad76411d4d84b2ccef59e2346d40c8e7ddbf6e333a2323df737d864126777fb54a15e90283ced2e7f04a7dda561fa2ebe13b30e082988b13e1406

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\zh-TW.pak

MD5 c651e23053764c38a4e8a7f34317f19b
SHA1 93cd303c91024748d283c3779f11402cfb4f5c0b
SHA256 9689ba3f2dc7248a3ab5db3b97d473e29464afbc7f2d1c7035f7e8e9a1c05aa4
SHA512 1b7951fc4dcc2c08811dd3449fe2ce1302286b3eca21675adefa25a806ae7dcf91c565a111032fc5fda4dd9f5231875f0c77cdfd22ecc7d435450080d853a503

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\zh-CN.pak

MD5 0d5b72258b56c584113a022e16777387
SHA1 77f91e8c36befb818229ef8fef068e97f60ecf0f
SHA256 539f0bfdb461bf777aab14a4baaf47c8c32ae1856cc4ac93b23ce73dc50ba02a
SHA512 632c4ca60529c717fb2ba700d8f12017d097e67045639e2c30144a0372cecf595a2727d3505f019b91e8a15fe3259f2727bfb24e970dea8080a11e1a3dfa2068

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\vi.pak

MD5 ebb5db1dbb64895b1a25120d5ac9b5e4
SHA1 810fa53a97fe42994f8a68698d582651d69cfd51
SHA256 ef3ddadb90dc73b73e25e9608626ce68d6778445812b8bd2f6c81e1f1e4bff16
SHA512 fba594183c7b672204330ca698f1e195026fc51d4e05db2c49e58a896c3b5e11e23286be0d6ffae3ec321e6c08322544df3c876dbce3c2e69a951985a84a2c91

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ur.pak

MD5 1ca4fa13bd0089d65da7cd2376feb4c6
SHA1 b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c
SHA256 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f
SHA512 d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\uk.pak

MD5 88d51b6df9f3cec54eda732dcf2c63fa
SHA1 a826200f112d5c69f1aa5837bc40d4c423515029
SHA256 e914b8956745a14d9d64f12698805e0910f9d3581dd380468949b54576fad2a6
SHA512 3ed8f2090497597d4e2583901993331de19f9dc787ea886dabdaf22a79aefa2956e63501c9a50be34fabf7287b6751f50d9a5105e4f16a579961ebc0d6eff14e

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\tr.pak

MD5 1525dd38ca529c56f9d3e08293385690
SHA1 e0dfb9d60a3469d701dcb9ead8f8cd2cfe6fd604
SHA256 5a7e1c8b572f67ed40e9d5107ddd6f8791b03138bb9933cfb26f1678b2c4a9cd
SHA512 195ffc165e45a51c12b03252759c5e1ff684e57b5994aeca608d40ef6799f29812add6fb2479e8e8c1655799f4dbf29e47272324b857b9161ad43a1b271eddfd

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\th.pak

MD5 f9ff2275865f2cdebb9b0d19d4fb57a1
SHA1 e83c6c8e0005bf34771af3f1c0c9d8ebaa822f95
SHA256 3d4556bc0f26b89d090a8a779a8fda8f6fbe157a23181cbfb1d6c67a6212b864
SHA512 96f596bb564e62bbafe62774fba1cefa644feff47a331e54cd7dc9b85b29f2a2e8e785e85d90cccc27f9a1c735b0a8c6dbe01fa244601f1359194f64a49ee6d0

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\te.pak

MD5 41e49a1ef6850d90e0cbdc720c45ea5a
SHA1 a2fbe1585a1b653ac6acccaf6184ae2de3e007af
SHA256 aa2b9d1ad8591e91872c3fee62b111b74d6e7e890a47d0bcc388947ae5245290
SHA512 687ff66471248104f8780f142e1810ccc7275857e4bd188447d01cecbe74ebac4070ab135d4a7111bc5f4ae17247dd865f21a2d3e73031534dac1f5117bc4570

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ta.pak

MD5 292f763cb8eb588659eb7cc25cf57d2e
SHA1 dc42622f272843cb3afce9968146b85a98485237
SHA256 d5bfe0699342b8bba6c4c73c115b1c7f3f903c4ed95d77461c34369f2f60d5ee
SHA512 100ec32914f0d140baa414180cb2ba34e95f75ab73a0c036d6d5ebb64cc69b2b7c62b9e3f9de192bab8ddac3b387b953bed2ca1fd3bf0aab0198b9c1f2911151

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\pt-BR.pak

MD5 3701247a5ac607053278aea185ee6616
SHA1 8cb40ddd4865347677f8d327792c6edb69012f76
SHA256 7f41c3a58d08d98f21232e7c85839c9dec0053b447bb4dae867d2faadb278d45
SHA512 637070ebc4411fb92bef5ff75eff46602db8ed59021f37f1a0d8201093f047419c558ec1af49c4dbbb4f58e7169e2f2cf04af7e1d11a57d39ab1cf036cb8497c

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\pl.pak

MD5 fbc79131a645b3853b4fa97c2b589a07
SHA1 91c6d4386384efa9074956b9e811a0aac385aa4e
SHA256 0948238576efb502327af4040c1d9eb1346fbf1bdcee35cd46746b170a7ea6a7
SHA512 0559d787bb7e4fa32a70c19cf0d1b2962d3869363904c13f345ef733f1193c73a13bad9600d7a5ffacf60b92cd97c27e27f7c4b7e143d0925fb358498c92f8cf

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ko.pak

MD5 54ace51d8b687e36a66a2bfde258a550
SHA1 1b2fe7c62e3f2c7deede2034e44980e02afa3b4d
SHA256 8d131066e2fa004e11f9128162bfc354d3254381059d6c852bf88a55859ae3e8
SHA512 50b825a88d646a32a4d620bcdf5ce490c8dfbea628c5256a6918dc647c42385f955396ec5d3b32cfdb50153897cf303cd517bc9f62663b14def2dae42229f640

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\kn.pak

MD5 fccd5d8ad5e1c774771b19dda55d9b9a
SHA1 fabbaf469e4aec44342a7e6f74b837cde2203b71
SHA256 47c77fdf73267865a025a54027865a8d67e26943264a43c6e794ccbd6eec549b
SHA512 c9dc6cf0ff5a4094cc07ce4881319778a076b44651b16a220940d7a587ffaa92b6b80f7264605a3c8e6dd780e9c3d8e4d403d01cd8f94e0122ac19cd4d636aac

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ja.pak

MD5 e9133185d2339d0a2f68c4c739eb3615
SHA1 cfa6db85ec99bb38b734254b7d4a83d12ee5cd00
SHA256 ba2acb635671a48ed0bf8cdc6e0a0318cfb33eb74b4171c6b483b95f2a167bc5
SHA512 e89c886a601943d2089bad27ce9458f95929fd39fd2f88da0545f71e9d18a678eafc303630d0f94ab3af7c77ad19fabdb2616a2d004151232bc6ce1ae8e4c46e

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\it.pak

MD5 8cde7372fc5095e581bf64fb77e04d61
SHA1 0d30e0ae2c401a06ffb4056bab44d2b5d3970492
SHA256 d011fd39c3cbab740a7944a60a8dd48d6f76c563ea473cfd1f569c5e6fc9fa4e
SHA512 83778880ad95b39b5746d512aa116b05928f580f0c5e75b45cddcb80addb24cf079f73f65771e1d75ca18925ea6fdb86283aa060af2cd1308dee53ee728f76e8

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\id.pak

MD5 366d1b2c3759d6ff9c588f53ec9a7c5b
SHA1 e9d5c6e8311c6f7b7c4ad997db0cec5c11cfd754
SHA256 0853a5543923b7a8db5989ebb8ebe8f9fb6271bfa59b94f5843f97de4401e2d8
SHA512 879e72625fd112cec85a6489c590d7e89c65753d2beee259f7393e7377729d40bbb8cd0a2a9fcfde93d14c2cc9a97879312e60ab26035970a632e36d2f8d9e53

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\hu.pak

MD5 2aa0a175df21583a68176742400c6508
SHA1 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a
SHA256 b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72
SHA512 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\hr.pak

MD5 cbca0ad35cfa5c4b852cc8f556706b0b
SHA1 608d2e11a40e5e15a2840e248a249d1562ba9846
SHA256 6ea4b1a28cf567cca73ccdb7eec631fffba3b49acc41e3c88b448514578d80da
SHA512 5b6f01c10d613f278d507d43fb0c708b32fd486d9b5a5f31a9837d0b1025da6ff85772b8f39e192cd8625d363be570565fd4eaf0f8d11c17ad6cbd956893022b

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\hi.pak

MD5 bc777a1010c846906d05d75d82f5dea9
SHA1 73bbeeda37164845ca3f4f2827165b4023f8a194
SHA256 ccf7a557d0f8353ff3d656d4c2a4fca2d462ed2cc3d18c599d98f4d57b23c615
SHA512 e6a01b80adfa31fa93d48fc4f1ba9222d21b8ed7734e664e4f274843b46d826ec8863483c0e8647e39ad85988dfe0a2848d32a26ce1fdd8a0eb85e4fe64be292

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\he.pak

MD5 c6937badd93ff4ae6f6a2c9e31f678d5
SHA1 b3175d7bebe340ab08e0d8e85d550a076b073c55
SHA256 3cd4440501bc67d0b2e33e1346ba133fb9a09a8762f2334732f8cc349cd840b7
SHA512 db232d7da04b4a854fd399fa04779469ec6fd0a752c4da7b2eed6d1aeaca4a096130fe326c91d777131d1a8ba32637d884e518f1522e9658d233a35e5eef9397

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\gu.pak

MD5 9e189d21ad5843b69c352466c94cdc4c
SHA1 99af98cc510abe726b54f28488f647ea6f7d4c91
SHA256 9c210e3143f99df59bebea6bdb6e30959f8520d59a20fffd437f7029840bb3a9
SHA512 c3007f45ec20c3c3e763f20be1a5557f548a28757cb032617c20fe7d44b7524368b75b8182de243048aa56b939b2a790b5b85cf359b009c4c20c41089e8992e8

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\fil.pak

MD5 d7df2ea381f37d6c92e4f18290c6ffe0
SHA1 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4
SHA256 db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a
SHA512 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\fi.pak

MD5 7243727348009668ded33dd0109118c3
SHA1 aa19e2e340c8328132d12ff79d8fd6b02c512a48
SHA256 6581fca26336f66d8ba898ec1253b237db30e7cd1a25fc788290d7ace96fa6e1
SHA512 e890346915c0891a9f49640f232f6633e25655b969911a6697adfea709cec59bb925678e0b97424936c59d523c3ee9e2dc23f115e20c45ca3ed51ae691d0d7f0

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\fa.pak

MD5 e861a65f12b38a3def1fe9e933cae275
SHA1 8d083b5902a15a63ef11c7783f12e088d333fcf5
SHA256 f9a8e3b9bbc809f11cc3dc32811940e033bd78a31ec154d28321473f8efa1e4d
SHA512 d1fe91c693c794b4a4d60560800c919977654832e8f6e34fb1ec0ffbf5c411cf35b0a0e22e036dca48a246ab8d6bea0427c5ceb232d460e9c59cf4163d55314c

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\et.pak

MD5 8b3cb5e4b8ac769bde84e5c375c1774e
SHA1 53665908d6ec12095abd766911d8abcc84c6da58
SHA256 c351b84558214420495bed6d882d37496483cc66b0e10400ca872e3fc4145b66
SHA512 b0dff640d32e5c277f2d3441abf823e8859f28f215cfc63fde8a968cbc9b9531aa0394e10fa98284d186323e3357ea2265d762dc034be86bb50f5c55630ab4c5

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\es.pak

MD5 e42486833449ea57261d5bbdabb8b4e2
SHA1 09734ed71302c7a3bf5f84dee1dfab7732bc0745
SHA256 d539c88c4493cb1d9eae600611e3119fe129ec95149049f4b62fc3a97d78ca61
SHA512 8ad283323c3f2e7a9d2e33eb86c371be6a9e29d9243e0d74d5936606692367212f81825d5c313a8859ff8de84eb6d23cbfc577ca47185392da803717f29e8b24

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\es-419.pak

MD5 a510ff6703676bacde7e528823878018
SHA1 6551a7dac1c3fcd839b8d7c6ca92470f30a93d0d
SHA256 77114f519743741a488a9b57cdc7190f0507c37dc3b29811704a048172ba6736
SHA512 e9b75bc92eb077db57f906ef544b2339c4eb4f6eddf65d2570c36a00ab4b8a167a53e869d81150a7d097ecbf4ba19625ad4228f133392cc850352fe66fea47e0

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ml.pak

MD5 038b9eb34737bf472fde68b91a40f122
SHA1 64771e91d4fdac0b909c6f446cc2f310be7d1320
SHA256 27b7947e36a521403de094cc563d5eced1e46f98e4d6b872fd424352f798e84d
SHA512 3c96b42ab838f2ad5434e719f5906427a5fb327967d04c8498f3af4e913de833ac9cce6545fcfe0de2dc920cdf54c8b31c1d1527f609f90bcf9728d7bdbaac7d

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\lv.pak

MD5 4468d6a6114d5a7ea3c1173ae9a8250d
SHA1 ef664a6a140fb7a244bce44ff8c73250856d8061
SHA256 0ff66161377be2fb8b2b456a64dd910d8375a2b9f1f6f22333540a77111903d6
SHA512 db4179b53cd44f297f5455a167ceccdd2a384c5296311346fa53f15ef5acab76cd166df13dbdf22b0c85a66455f22218e88c02fda2c5e2f863b9f4e7ea6e9a56

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\6796560e-abd9-4823-9b78-6813151ef2d3.tmp.node

MD5 aa8da32ebca307d4f99cf2da290afd22
SHA1 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256 ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512 d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

C:\Users\Admin\AppData\Local\Temp\4d4696d7-9272-44fd-8827-c191742215c3.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

memory/3768-568-0x00000188CDFE0000-0x00000188CE002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xogcoy1q.2ti.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3768-572-0x00000188CE100000-0x00000188CE150000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f69f145ee494b2d67c5d50108c862d4a
SHA1 68f36b9bd553beb2a7eec5f4a8fef317703c77e1
SHA256 06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7
SHA512 302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 df739ecbffb92fdaa51ac0793434acaf
SHA1 fdbb8742670c2db6b00d45ce5bd8c19bf17536ac
SHA256 eaa1143dd26a969e19beb89528d057f6af4d344fe540820b81f1036b2c0fcbfc
SHA512 5a8ea65354e14fbf9011bb0e4cc1625bc245acc3fd893970cf0f64f1625d4c182518fbf679365ce9dfbdbbecf1b48e9004010da6ea4b5fce098532f1fb39daf7

C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\xx_lol\Browser.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

memory/1524-606-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-608-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-607-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-618-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-617-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-616-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-615-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-614-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-613-0x00000260A2650000-0x00000260A2651000-memory.dmp

memory/1524-612-0x00000260A2650000-0x00000260A2651000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:05

Platform

win11-20240508-en

Max time kernel

144s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 3868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2244 wrote to memory of 3868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2244 wrote to memory of 3868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3868 -ip 3868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 536

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

85s

Max time network

94s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

149s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\es.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\es.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 199.232.210.172:80 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

149s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240419-en

Max time kernel

131s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\el.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\el.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

141s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fa.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fa.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-13 02:00

Reported

2024-06-13 02:06

Platform

win11-20240611-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A