Analysis Overview
SHA256
fe3e8b0fb23d7889d8e1cf58ddec37d255393ccfb6017f27032604e53aa1b3c8
Threat Level: Shows suspicious behavior
The file Vanta-Loader.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Legitimate hosting services abused for malware hosting/C2
An obfuscated cmd.exe command-line is typically used to evade detection.
Unsigned PE
Program crash
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
87s
Max time network
95s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4308 wrote to memory of 3884 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4308 wrote to memory of 3884 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:05
Platform
win11-20240508-en
Max time kernel
127s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\de.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
140s
Max time network
158s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\en-GB.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
126s
Max time network
147s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fil.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240419-en
Max time kernel
124s
Max time network
147s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
89s
Max time network
96s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1572 wrote to memory of 4324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1572 wrote to memory of 4324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1572 wrote to memory of 4324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 468
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
87s
Max time network
101s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\en-US.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.29:443 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240419-en
Max time kernel
140s
Max time network
163s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
86s
Max time network
98s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
87s
Max time network
98s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\et.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
151s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe | C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1828,i,1340217184836135925,12216280741845008325,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2028 --field-trial-handle=1828,i,1340217184836135925,12216280741845008325,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,65,25,200,6,171,163,71,189,215,230,101,88,154,217,146,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,198,182,24,250,108,21,253,21,222,158,198,220,20,220,251,104,58,74,38,184,12,92,171,8,223,12,123,23,63,159,135,109,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,240,242,219,218,239,77,97,162,76,24,83,139,213,113,126,161,149,193,20,1,88,193,165,73,159,54,146,160,175,231,99,174,48,0,0,0,230,100,231,112,18,238,102,145,69,226,26,139,253,127,81,235,160,81,42,71,125,158,198,49,137,62,230,132,7,107,127,192,75,41,218,120,154,11,122,7,229,180,208,146,197,231,143,26,64,0,0,0,68,198,247,104,35,222,11,172,153,104,11,33,254,192,216,45,254,124,90,47,216,120,98,161,68,197,224,131,137,252,152,112,9,63,129,246,95,41,15,153,173,59,228,29,101,64,222,61,230,204,29,49,229,237,60,231,183,100,160,182,230,48,145,236), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,65,25,200,6,171,163,71,189,215,230,101,88,154,217,146,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,198,182,24,250,108,21,253,21,222,158,198,220,20,220,251,104,58,74,38,184,12,92,171,8,223,12,123,23,63,159,135,109,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,240,242,219,218,239,77,97,162,76,24,83,139,213,113,126,161,149,193,20,1,88,193,165,73,159,54,146,160,175,231,99,174,48,0,0,0,230,100,231,112,18,238,102,145,69,226,26,139,253,127,81,235,160,81,42,71,125,158,198,49,137,62,230,132,7,107,127,192,75,41,218,120,154,11,122,7,229,180,208,146,197,231,143,26,64,0,0,0,68,198,247,104,35,222,11,172,153,104,11,33,254,192,216,45,254,124,90,47,216,120,98,161,68,197,224,131,137,252,152,112,9,63,129,246,95,41,15,153,173,59,228,29,101,64,222,61,230,204,29,49,229,237,60,231,183,100,160,182,230,48,145,236), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,65,25,200,6,171,163,71,189,215,230,101,88,154,217,146,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,146,45,164,151,1,68,153,111,78,190,135,88,178,207,184,45,202,134,99,66,178,89,185,160,133,228,207,57,63,75,68,173,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,26,152,254,139,197,64,242,25,115,254,179,78,102,185,236,218,233,23,214,205,57,172,72,22,194,246,254,68,65,101,37,48,0,0,0,121,163,137,78,181,250,59,152,249,81,216,155,122,56,178,157,235,32,93,223,160,59,250,160,99,12,44,63,142,209,67,193,100,71,209,46,1,238,73,26,153,129,83,216,214,27,143,140,64,0,0,0,25,105,35,50,57,213,250,45,161,229,18,117,220,66,205,207,50,182,44,52,255,233,86,211,12,166,38,41,149,48,108,33,108,3,224,173,15,237,70,196,10,35,251,91,241,36,84,184,182,220,111,233,81,120,139,205,210,69,53,145,38,189,195,89), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,146,65,25,200,6,171,163,71,189,215,230,101,88,154,217,146,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,146,45,164,151,1,68,153,111,78,190,135,88,178,207,184,45,202,134,99,66,178,89,185,160,133,228,207,57,63,75,68,173,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,26,152,254,139,197,64,242,25,115,254,179,78,102,185,236,218,233,23,214,205,57,172,72,22,194,246,254,68,65,101,37,48,0,0,0,121,163,137,78,181,250,59,152,249,81,216,155,122,56,178,157,235,32,93,223,160,59,250,160,99,12,44,63,142,209,67,193,100,71,209,46,1,238,73,26,153,129,83,216,214,27,143,140,64,0,0,0,25,105,35,50,57,213,250,45,161,229,18,117,220,66,205,207,50,182,44,52,255,233,86,211,12,166,38,41,149,48,108,33,108,3,224,173,15,237,70,196,10,35,251,91,241,36,84,184,182,220,111,233,81,120,139,205,210,69,53,145,38,189,195,89), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2472 --field-trial-handle=1828,i,1340217184836135925,12216280741845008325,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store8.gofile.io | udp |
| US | 206.168.191.31:443 | store8.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 8.8.8.8:53 | 239.190.168.206.in-addr.arpa | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 206.168.191.31:443 | store8.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 245.70.14.31.in-addr.arpa | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7028451f-edfa-4156-818c-df812df8fb38.tmp.node
| MD5 | aa8da32ebca307d4f99cf2da290afd22 |
| SHA1 | 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899 |
| SHA256 | ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db |
| SHA512 | d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7 |
C:\Users\Admin\AppData\Local\Temp\222a3b85-47f2-45f0-8f84-6951b0ea8cfd.tmp.node
| MD5 | 04bfbfec8db966420fe4c7b85ebb506a |
| SHA1 | 939bb742a354a92e1dcd3661a62d69e48030a335 |
| SHA256 | da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd |
| SHA512 | 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wxsgibfb.nyc.psm1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4500-16-0x000001B07F910000-0x000001B07F932000-memory.dmp
memory/4500-20-0x000001B07FD40000-0x000001B07FD90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f69f145ee494b2d67c5d50108c862d4a |
| SHA1 | 68f36b9bd553beb2a7eec5f4a8fef317703c77e1 |
| SHA256 | 06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7 |
| SHA512 | 302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | df739ecbffb92fdaa51ac0793434acaf |
| SHA1 | fdbb8742670c2db6b00d45ce5bd8c19bf17536ac |
| SHA256 | eaa1143dd26a969e19beb89528d057f6af4d344fe540820b81f1036b2c0fcbfc |
| SHA512 | 5a8ea65354e14fbf9011bb0e4cc1625bc245acc3fd893970cf0f64f1625d4c182518fbf679365ce9dfbdbbecf1b48e9004010da6ea4b5fce098532f1fb39daf7 |
C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip
| MD5 | 2b761fe533bc9f2d8eca41b77bd56599 |
| SHA1 | 2032e8abbe478db822560dd67ed70f87f04b28d7 |
| SHA256 | 3fa088555c8082587cf8f8f1a1bb92926ad6cd297b7082346364d3f1b0409663 |
| SHA512 | 94a7062240d112836266fc77e2884fea3e2034fca9ad6613083c1cfe3e24f77baad259ee09b8c3c614d3684911fdcd9dc83517dd175f0979d2770521eb06fd36 |
C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip
| MD5 | cfd2a5ad79633beaf1737a3b9684aed6 |
| SHA1 | f0347200dfec18e24518d30dfc97820614aa73d6 |
| SHA256 | ed13c6362986d058e0cce9c7458e89c44445880c6160f5a188e73d59c1c9acb4 |
| SHA512 | b707e540679e87cfbfa4118245fbc987767ef33670e06cb60953afe669d398dedea7679e266010d1d42e4f1b36c84c9d17892fa6744972de7fbd4a0a9bef3c57 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\webdata.db
| MD5 | 44b8968160e811f5c8a611da10b4318f |
| SHA1 | 1e8253f96d24d3c912bc6b0a7bab3ca4083a133b |
| SHA256 | 0d91bba8f093e2e3f51afb1a9e150c2c320a44106e06cbe72c83809211703444 |
| SHA512 | c14263aad4e132d6a9f984fe8daa8fadbe62804690041fe3a88c00b6f540fa3df559d46506c5c3310231e4a29b17d8dbc83640192f93946c33794e646ffdb40a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
memory/1820-102-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-104-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-103-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-109-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-114-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-113-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-112-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-111-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-110-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
memory/1820-108-0x000001D6E4860000-0x000001D6E4861000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
141s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.19:443 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
83s
Max time network
95s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
140s
Max time network
160s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
143s
Max time network
158s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
141s
Max time network
157s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
24s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fi.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
140s
Max time network
161s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fr.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.19:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
132s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1356 wrote to memory of 1480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1356 wrote to memory of 1480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1356 wrote to memory of 1480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 460
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
123s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
109s
Max time network
130s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\es-419.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240508-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Vanta-Loader.exe"
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1816,i,18007302280071036167,2876125629520911356,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2028 --field-trial-handle=1816,i,18007302280071036167,2876125629520911356,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,156,145,177,22,49,87,182,246,181,239,136,151,196,194,222,150,156,83,117,13,197,27,239,204,239,4,239,124,182,130,186,59,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,70,119,208,213,67,152,61,239,184,191,77,72,18,165,228,117,148,72,4,73,222,1,177,125,201,26,198,36,143,215,63,48,0,0,0,234,75,24,187,54,18,74,138,222,45,103,111,194,148,182,185,193,201,14,160,45,72,22,66,207,12,223,36,170,254,248,29,130,76,62,60,194,135,72,135,123,188,161,161,230,199,157,59,64,0,0,0,96,23,145,250,147,31,1,128,61,138,215,90,139,172,122,33,156,152,240,61,210,151,12,32,118,17,130,25,142,234,25,177,44,180,238,127,225,24,209,92,91,129,162,84,33,154,45,4,63,167,227,152,143,48,38,72,34,11,254,65,42,233,205,152), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,156,145,177,22,49,87,182,246,181,239,136,151,196,194,222,150,156,83,117,13,197,27,239,204,239,4,239,124,182,130,186,59,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,70,119,208,213,67,152,61,239,184,191,77,72,18,165,228,117,148,72,4,73,222,1,177,125,201,26,198,36,143,215,63,48,0,0,0,234,75,24,187,54,18,74,138,222,45,103,111,194,148,182,185,193,201,14,160,45,72,22,66,207,12,223,36,170,254,248,29,130,76,62,60,194,135,72,135,123,188,161,161,230,199,157,59,64,0,0,0,96,23,145,250,147,31,1,128,61,138,215,90,139,172,122,33,156,152,240,61,210,151,12,32,118,17,130,25,142,234,25,177,44,180,238,127,225,24,209,92,91,129,162,84,33,154,45,4,63,167,227,152,143,48,38,72,34,11,254,65,42,233,205,152), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,228,10,115,103,22,183,210,38,40,50,13,146,95,130,70,82,117,210,39,116,255,113,254,200,204,180,155,254,218,120,238,92,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,14,211,90,143,79,233,109,49,253,39,186,10,211,190,41,141,28,209,159,136,34,170,181,204,135,232,48,84,233,38,237,148,48,0,0,0,4,116,76,23,118,185,38,240,36,181,38,222,22,198,80,248,253,57,90,197,154,222,5,91,192,208,90,235,183,154,85,142,157,163,92,175,82,247,64,11,135,116,153,33,127,226,24,116,64,0,0,0,218,205,69,72,34,222,225,189,121,165,103,7,73,192,7,120,240,245,68,200,29,84,225,60,12,33,248,33,247,195,91,195,136,46,221,183,208,234,58,247,1,219,195,58,69,188,121,59,114,40,186,129,248,81,86,56,241,79,159,219,41,32,41,19), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,189,199,101,39,143,219,102,72,176,113,22,99,239,18,130,233,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,228,10,115,103,22,183,210,38,40,50,13,146,95,130,70,82,117,210,39,116,255,113,254,200,204,180,155,254,218,120,238,92,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,14,211,90,143,79,233,109,49,253,39,186,10,211,190,41,141,28,209,159,136,34,170,181,204,135,232,48,84,233,38,237,148,48,0,0,0,4,116,76,23,118,185,38,240,36,181,38,222,22,198,80,248,253,57,90,197,154,222,5,91,192,208,90,235,183,154,85,142,157,163,92,175,82,247,64,11,135,116,153,33,127,226,24,116,64,0,0,0,218,205,69,72,34,222,225,189,121,165,103,7,73,192,7,120,240,245,68,200,29,84,225,60,12,33,248,33,247,195,91,195,136,46,221,183,208,234,58,247,1,219,195,58,69,188,121,59,114,40,186,129,248,81,86,56,241,79,159,219,41,32,41,19), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1816,i,18007302280071036167,2876125629520911356,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\chrome_100_percent.pak
| MD5 | 8626e1d68e87f86c5b4dabdf66591913 |
| SHA1 | 4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c |
| SHA256 | 2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59 |
| SHA512 | 03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\chrome_200_percent.pak
| MD5 | 48515d600258d60019c6b9c6421f79f6 |
| SHA1 | 0ef0b44641d38327a360aa6954b3b6e5aab2af16 |
| SHA256 | 07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce |
| SHA512 | b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\ffmpeg.dll
| MD5 | 6418dfc9980cc0416a327961dacd41df |
| SHA1 | 2e32ab8ea0059606dfe66e978c271e0852406215 |
| SHA256 | 04bd8ee92194f076686eab2a94a119629b6d61e554782a0d4520359f1ceb24a9 |
| SHA512 | d3e98fe91bfa4f7b9363d8fbb6997f20f76a638bcb5345d9280f919a4bf13dfa02d190534d1965eccd95f2300f6b4d29b6eaec5d544e5428377d1e26daf501a1 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\libGLESv2.dll
| MD5 | ad3edee84b49923e4847119eb4d6c6b7 |
| SHA1 | 8649be26571d3fa645c416f36c1bdc0b27f1d478 |
| SHA256 | 51c9f2e9aecf5745ad343185cd39a05f581c2062d644bedcb25a5ef4b9624591 |
| SHA512 | e504996b8371f294fa8a5173da48256e9070156249bdd7431e3adeacbd99f7cf39dc3c0876c4aa11da8d1932147cfaff91764c517a70d69d8c8e4876abbeea56 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\libEGL.dll
| MD5 | 13318cb90b385fb918ba6e07f1fd8d83 |
| SHA1 | 899985a7608268893c7fc1c9810568bdd8294b81 |
| SHA256 | 53a2d4c5ae582f15aad481e75e516ddabce9b756e553bed33720a66d2c5f736d |
| SHA512 | b5418f6bd2ab883dc1ef4d9f2c0a976296d06fe1309c6db7331a3470f198505561cabd41ecd05e675b90076196b4f82e8a9ef0574cfe96869bfb24d07cc82450 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\icudtl.dat
| MD5 | 2c367970ac87a9275eeec5629bb6fc3d |
| SHA1 | 399324d1aeee5e74747a6873501a1ee5aac005ee |
| SHA256 | 17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de |
| SHA512 | f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\d3dcompiler_47.dll
| MD5 | cb9807f6cf55ad799e920b7e0f97df99 |
| SHA1 | bb76012ded5acd103adad49436612d073d159b29 |
| SHA256 | 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a |
| SHA512 | f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\LICENSES.chromium.html
| MD5 | c3528648bedbde1223a2faab1a3f9af3 |
| SHA1 | 934d3c8f184258338ff380964ed89053ce69ac5b |
| SHA256 | 57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2 |
| SHA512 | 3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\resources.pak
| MD5 | 9d000106fc3192e4c3d47031cf450131 |
| SHA1 | 814c455baba7dd4d9354ed061522fc4caad3e7b4 |
| SHA256 | d0e884b68e2b79162e88b5d4a593c3bb4a7c60c5c62f4e3cc69a346727e6f7eb |
| SHA512 | b19e926fc5223375685854a0b26a04efdcd8128e44b3b56f3ed2cccb860b9069ff6e49dbae053a4287f12de6796643021a316baaf3f8505f5574171d8c6cf885 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 4d89b46abac43cfaec5c80ab2f735e15 |
| SHA1 | 8985d96af0017b78c9b3791ea2ead72f3e32c844 |
| SHA256 | 4f69d3512c141d88a6137b08a1da04ab80d8e685bd5e9378865d6de828f0cb5a |
| SHA512 | 477a676586b066813f1d469be6891b2cbd9575528d4279fd7da34f359057ee6025f82ce31c57a9e90658d52fd2e94779bd5a8a9c3d8f2283874450f4285da3bb |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\snapshot_blob.bin
| MD5 | ac47bd259a01da6c51f750ea210b52bf |
| SHA1 | d6682fc4a07ff2313bc8428137f533e8947692a3 |
| SHA256 | e87fb952df8e36a5461f328c37afd701f20c427810824e9541709cccb87c22b3 |
| SHA512 | 9bbd6e39597181da2cdaa0e3b4569e0a7a67b44f37be20b0bbe7cb6323501835427ce84044203c66c98b98fcf4e8e356e983be0e085f3020df93022d9c7e0135 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\vk_swiftshader.dll
| MD5 | 30d193f1976035cebec2c2d8f071c556 |
| SHA1 | 97b1d811743f03e888c22d975c9eb77ba92142b9 |
| SHA256 | 600e158b7d7fb95eb63552da1ae8159a6eb9bb04ff6341d11db2d10bd6c30c8e |
| SHA512 | 4eb6ec91fb060f67ea126c9c7dd7f672161d86302db41c7d999f33239a7c18062cc020c06ab9571f8023c846d22bd0fa5c020fb4c710bf6a21472002dccb6226 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\vulkan-1.dll
| MD5 | 7fdd1bec727e2b389c8ca84c407446c6 |
| SHA1 | a91343d9f52883325f52f28c5dd142f4ae07b3ef |
| SHA256 | d04035c59f49444bd3cafd71296afd70bad5daa6e28bf5d7de3ffd0e36a85938 |
| SHA512 | 2fdd95185507be9bcbf6cfe1f05ba47e71203b1dc3ce4cc1553e5fcfb576ab89bf018a8927fc5e6e451b00f56f7abb5f2efd504e1a674b42dbe80deeb13d669a |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\af.pak
| MD5 | 464e5eeaba5eff8bc93995ba2cb2d73f |
| SHA1 | 3b216e0c5246c874ad0ad7d3e1636384dad2255d |
| SHA256 | 0ad547bb1dc57907adeb02e1be3017cce78f6e60b8b39395fe0e8b62285797a1 |
| SHA512 | 726d6c41a9dbf1f5f2eff5b503ab68d879b088b801832c13fba7eb853302b16118cacda4748a4144af0f396074449245a42b2fe240429b1afcb7197fa0cb6d41 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\am.pak
| MD5 | 2c933f084d960f8094e24bee73fa826c |
| SHA1 | 91dfddc2cff764275872149d454a8397a1a20ab1 |
| SHA256 | fa1e44215bd5acc7342c431a3b1fddb6e8b6b02220b4599167f7d77a29f54450 |
| SHA512 | 3c9ecfb0407de2aa6585f4865ad54eeb2ec6519c9d346e2d33ed0e30be6cc3ebfed676a08637d42c2ca8fa6cfefb4091feb0c922ff71f09a2b89cdd488789774 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ar.pak
| MD5 | 6352905a290802a05dd3a64d22216f6e |
| SHA1 | 11adb10f0678079c8f73779bb039e12329bcaac7 |
| SHA256 | 00861d9fa5763cc5c3152edb4a5c956c6bc4f56311ce2ed9e6b496181624ab5e |
| SHA512 | 0b0dbad8201ebd1a7dc2cfb11325c509efbcced3ac3d337915cf2972defe2304ea9f8af91d9362cb51333459900a80b714e7302a6483ad58fd64404f8410b6ea |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\bn.pak
| MD5 | 9340520696e7cb3c2495a78893e50add |
| SHA1 | eed5aeef46131e4c70cd578177c527b656d08586 |
| SHA256 | 1ea245646a4b4386606f03c8a3916a3607e2adbbc88f000976be36db410a1e39 |
| SHA512 | 62507685d5542cfcd394080917b3a92ca197112feea9c2ddc1dfc77382a174c7ddf758d85af66cd322692215cb0402865b2a2b212694a36da6b592028caafcdf |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ca.pak
| MD5 | 83f9f785483cd92a73843ed98e674f86 |
| SHA1 | 70e223dba0ecc5cf3f5fcf32278d97ff864c8024 |
| SHA256 | f7f54b55a917a0f68e4b7ed7a3e6feabb224c52d09786b939712607ebe8ab0ea |
| SHA512 | df231f6774a9568cc4b85ad18d13c31cfb4de78830c72900ebd613d580e914e85eff85330ac9aa85246a0e4949891fdfb224ac615a03fcb0ce05b989391963e8 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\bg.pak
| MD5 | 38bcabb6a0072b3a5f8b86b693eb545d |
| SHA1 | d36c8549fe0f69d05ffdaffa427d3ddf68dd6d89 |
| SHA256 | 898621731ac3471a41f8b3a7bf52e7f776e8928652b37154bc7c1299f1fd92e1 |
| SHA512 | 002adbdc17b6013becc4909daf2febb74ce88733c78e968938b792a52c9c5a62834617f606e4cb3774ae2dad9758d2b8678d7764bb6dcfe468881f1107db13ef |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\cs.pak
| MD5 | f36f1b2ff12fb87a578c36f73f5aac83 |
| SHA1 | 73f61f7b6f191468ff4d9566a0bb6eccf1069cac |
| SHA256 | 877a0a3dcb5d393365b2f775faff0d3593dd84b380a27dc72025597061a50ba7 |
| SHA512 | c61a38f937dcc90c7dd5b87d9514147b6362d339d9af85bcb3677bb12ae5715d05426f6e67ffd3b441cc41530883a227096b4135b98f2d5c73f51612e0a0e4c9 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\da.pak
| MD5 | 7ff057b530184205100dbea8635a29a7 |
| SHA1 | f6e22b2e37e6d7bf0ca9bec220650f01d1a4a091 |
| SHA256 | 40b32636ffb813574d8a063ce7e74860ab06b93a9b16dd56b5b6aa602b5e6943 |
| SHA512 | 09b7b6c280d98f21beeddf1b9e5834462f29d299a64276c198ef3eab466b352695172d2ff118664c34e51a2b73e21949f203ba35b0bb6d3e031ac770e3e6b451 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\en-GB.pak
| MD5 | e0c79cf2e5b790386e44b125d8e1a5fc |
| SHA1 | 1b75baf8035b81d6494f9f36930bbc8c512e1dbf |
| SHA256 | 6b0e81b2198e025eae1e2f6d5d3a33ccce034d1f4bc59e4cade1b5f5adb99f1a |
| SHA512 | e4feb64ce7edf416422127280cf87967a5e6b20436a8ed33932b1bade73f0691ac819449d38fa0d8a81b888d6319f0b3167aa16e225999dfd6e7800d2365f2a6 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\en-US.pak
| MD5 | 19d18f8181a4201d542c7195b1e9ff81 |
| SHA1 | 7debd3cf27bbe200c6a90b34adacb7394cb5929c |
| SHA256 | 1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb |
| SHA512 | af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\el.pak
| MD5 | e66a75680f21ce281995f37099045714 |
| SHA1 | d553e80658ee1eea5b0912db1ecc4e27b0ed4790 |
| SHA256 | 21d1d273124648a435674c7877a98110d997cf6992469c431fe502bbcc02641f |
| SHA512 | d3757529dd85ef7989d9d4cecf3f7d87c9eb4beda965d8e2c87ee23b8baaec3fdff41fd53ba839215a37404b17b8fe2586b123557f09d201b13c7736c736b096 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\de.pak
| MD5 | 1b928ff4831916bbe39e4b2e08f52267 |
| SHA1 | dd8788bb4d386f7d0b8e685a09cc9ca361b7c31e |
| SHA256 | 9c335a4e85b4ac58ed386d89d284be053ef288b2706a4cae433d91625ec1b31e |
| SHA512 | 95dc4ecd45708277618a913bd07073a7cc61b642ae14fecc91ac0548898771a522a0672ee67399e5f5c8ca3006c37aa878b74af1f41717b9607c00f49e40124a |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\fr.pak
| MD5 | 3a5bb07820cf46c0f4a81a25724fe870 |
| SHA1 | dbc296c1fc516c60d453253ee341ca4d31554230 |
| SHA256 | b62c51b85545b3f5d70ac9c684a111689044636eafaeb196f5d52760e0f96f91 |
| SHA512 | 0222f7a8bf3a6f77fcb9ab7eb0d03509d15bb8634d556547ed55141d550af241a525cc99eb13957744fe2e6d4732b9dbe4d078cb3555b16af6c13e20b9f4e8a1 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\lt.pak
| MD5 | 64b08ffc40a605fe74ecc24c3024ee3b |
| SHA1 | 516296e8a3114ddbf77601a11faf4326a47975ab |
| SHA256 | 8a5d6e29833374e0f74fd7070c1b20856cb6b42ed30d18a5f17e6c2e4a8d783e |
| SHA512 | 05d207413186ac2b87a59681efe4fdf9dc600d0f3e8327e7b9802a42306d80d0ddd9ee07d103b17caf0518e42ab25b7ca9da4713941abc7bced65961671164ac |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\nl.pak
| MD5 | 285f965bdfd40491c0669f41a1c9e2f5 |
| SHA1 | b5c17191ab4d152c7793b6dec0a2e8f1fc298a89 |
| SHA256 | b20178135b9f21feef0315fb2f2bc574c2876385e607a539ff0ce6ae7faf707b |
| SHA512 | 03de0c35bc75fb96cc5871b5d06a49d99b92864541a3a03816c1245bef567401b260ed94b99818f81273395b1ec60a9f6cae22084ef34e01a95cc41da4fbd1b7 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\nb.pak
| MD5 | 55d5ad4eacb12824cfcd89470664c856 |
| SHA1 | f893c00d8d4fdb2f3e7a74a8be823e5e8f0cd673 |
| SHA256 | 4f44789a2c38edc396a31aba5cc09d20fb84cd1e06f70c49f0664289c33cd261 |
| SHA512 | 555d87be8c97f466c6b3e7b23ec0210335846398c33dba71e926ff7e26901a3908dbb0f639c93db2d090c9d8bda48eddf196b1a09794d0e396b2c02b4720f37e |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ms.pak
| MD5 | aee105366a1870b9d10f0f897e9295db |
| SHA1 | eee9d789a8eeafe593ce77a7c554f92a26a2296f |
| SHA256 | c6471aee5f34f31477d57f593b09cb1de87f5fd0f9b5e63d8bab4986cf10d939 |
| SHA512 | 240688a0054bfebe36ea2b056194ee07e87bbbeb7e385131c73a64aa7967984610fcb80638dd883837014f9bc920037069d0655e3e92a5922f76813aedb185fa |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\mr.pak
| MD5 | 5657d67f6d21b507aab24ff62b0d4701 |
| SHA1 | b685a327c525b7e42eece306984e6d88dd803a29 |
| SHA256 | 671c3cb2a805a63a275ad608d37d0577c6a2813dd67fb6c2b70f8232323aac04 |
| SHA512 | 637c60834edc6f31c80692274af05e3f78466cd5ddb2fd7c79315b0f54939f41f25c3b30c86fd10751d032def1f99cb853c3186128a76a3a82a6989eaf14a835 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sw.pak
| MD5 | 67a443a5c2eaad32625edb5f8deb7852 |
| SHA1 | a6137841e8e7736c5ede1d0dc0ce3a44dc41013f |
| SHA256 | 41dfb772ae4c6f9e879bf7b4fa776b2877a2f8740fa747031b3d6f57f34d81dd |
| SHA512 | e0fdff1c3c834d8af8634f43c2f16ba5b883a8d88dfd322593a13830047568faf9f41d0bf73cd59e2e33c38fa58998d4702d2b0c21666717a86945d18b3f29e5 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sv.pak
| MD5 | 251682c6f4238bef8ab5471870a5454b |
| SHA1 | 2bf36466446abe39d487c61898d335901bbb09b0 |
| SHA256 | e1cbce672de3ba3a01272b9b763dcfd8229fba0883df2b4117ac6b0f9916c073 |
| SHA512 | de1e507b24e71f60c298253aacff49724b6a8c6336455d8dfcc6e939e53ed5e7a95dc5574e66a7fae38b6666446ac9cd83e5ad1b794b4ffa38d06052663c1f45 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sr.pak
| MD5 | c68c235d8e696c098cf66191e648196b |
| SHA1 | 5c967fbbd90403a755d6c4b2411e359884dc8317 |
| SHA256 | ab96a18177af90495e2e3c96292638a775aa75c1d210ca6a6c18fbc284cd815b |
| SHA512 | 34d14d8cb851df1ea8cd3cc7e9690eaf965d8941cfcac1c946606115ad889630156c5ff47011b27c1288f8df70e8a7dc41909a9fa98d75b691742ec1d1a5e653 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sl.pak
| MD5 | 83ef046784c1b113e827cb744bcb8656 |
| SHA1 | f6f3e0e975e7d3ca8e06f1988cb8a1c182eea734 |
| SHA256 | ab2079923e2baa27c220df2f1559af8edc785f8e9fe2e12c8ecb0e0e7e7d0a09 |
| SHA512 | f62f7e1eee91f5d42d591abbc7cb0fdf639834090824e7ab7f4dffb1e6c108c540074fdbadd5e153caecdb37b722ed9f737f13cbab387685013781949b9ee321 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\sk.pak
| MD5 | 07498676ad49df5cb1a14d91e2fc2353 |
| SHA1 | da344ebcc2ed566b45668c8ff5b950cb921af71f |
| SHA256 | b7ba1d08ac8498ea6a37186a51b30d6d0db17136ac734982af4dab97f4a6cd9a |
| SHA512 | 548dd27e98700681941ac13e6cf90a70c66520f70df51c75ecfbb32391805ee536a34f3e90400c1cfb34b750c9415378e1a75233db614c94a057da64d3369d91 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ru.pak
| MD5 | e582616cb61afb76688aa7669936bbff |
| SHA1 | cd2e894a59238ce90be527156243546b4a3fc53e |
| SHA256 | e4edec80c9e29357bcf31eda5d8b046c6c9fbc6434a0b5594b6a906d5f1407d1 |
| SHA512 | a5346390b6ec966d75839fb84e8d7284db55065b1a032ecd869a06555cdf116caaad73f9b059c92c17d5a5fb310a41c5f3b2461eee531b231adacb1b3d3d6cec |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ro.pak
| MD5 | d8b831a4896af7c78c534f1e8676ae37 |
| SHA1 | 175da19445b975b24a1e7bc8ffafa93d456ed10c |
| SHA256 | 3a58f2275ea6a2baa68924b1dab6b0f06abf8b6657a878dea94b0060a95e38f0 |
| SHA512 | e7e75dc7f92eb28759b567ec395f2a951c0e71284c75b9e2c4efd92209dda5767d51d51cdf591d04baddcfe88fbc2c8e6851a904d631b69bd801b9568767d948 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\pt-PT.pak
| MD5 | e032c0d39df2b7bfc71ece3bfe694039 |
| SHA1 | 6664f303bae983a1bffcba22e9df712bb3cb59d6 |
| SHA256 | 60a5a7f03d4d54397ca04be0c89d1f67a496b72807c0bd660c076bc945b40339 |
| SHA512 | 3f12ed39848ad76411d4d84b2ccef59e2346d40c8e7ddbf6e333a2323df737d864126777fb54a15e90283ced2e7f04a7dda561fa2ebe13b30e082988b13e1406 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\zh-TW.pak
| MD5 | c651e23053764c38a4e8a7f34317f19b |
| SHA1 | 93cd303c91024748d283c3779f11402cfb4f5c0b |
| SHA256 | 9689ba3f2dc7248a3ab5db3b97d473e29464afbc7f2d1c7035f7e8e9a1c05aa4 |
| SHA512 | 1b7951fc4dcc2c08811dd3449fe2ce1302286b3eca21675adefa25a806ae7dcf91c565a111032fc5fda4dd9f5231875f0c77cdfd22ecc7d435450080d853a503 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\zh-CN.pak
| MD5 | 0d5b72258b56c584113a022e16777387 |
| SHA1 | 77f91e8c36befb818229ef8fef068e97f60ecf0f |
| SHA256 | 539f0bfdb461bf777aab14a4baaf47c8c32ae1856cc4ac93b23ce73dc50ba02a |
| SHA512 | 632c4ca60529c717fb2ba700d8f12017d097e67045639e2c30144a0372cecf595a2727d3505f019b91e8a15fe3259f2727bfb24e970dea8080a11e1a3dfa2068 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\vi.pak
| MD5 | ebb5db1dbb64895b1a25120d5ac9b5e4 |
| SHA1 | 810fa53a97fe42994f8a68698d582651d69cfd51 |
| SHA256 | ef3ddadb90dc73b73e25e9608626ce68d6778445812b8bd2f6c81e1f1e4bff16 |
| SHA512 | fba594183c7b672204330ca698f1e195026fc51d4e05db2c49e58a896c3b5e11e23286be0d6ffae3ec321e6c08322544df3c876dbce3c2e69a951985a84a2c91 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ur.pak
| MD5 | 1ca4fa13bd0089d65da7cd2376feb4c6 |
| SHA1 | b1ba777e635d78d1e98e43e82d0f7a3dd7e97f9c |
| SHA256 | 3941364d0278e2c4d686faa4a135d16a457b4bc98c5a08e62aa12f3adc09aa7f |
| SHA512 | d0d9eb1aa029bd4c34953ee5f4b60c09cf1d4f0b21c061db4ede1b5ec65d7a07fc2f780ade5ce51f2f781d272ac32257b95eedf471f7295ba70b5ba51db6c51d |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\uk.pak
| MD5 | 88d51b6df9f3cec54eda732dcf2c63fa |
| SHA1 | a826200f112d5c69f1aa5837bc40d4c423515029 |
| SHA256 | e914b8956745a14d9d64f12698805e0910f9d3581dd380468949b54576fad2a6 |
| SHA512 | 3ed8f2090497597d4e2583901993331de19f9dc787ea886dabdaf22a79aefa2956e63501c9a50be34fabf7287b6751f50d9a5105e4f16a579961ebc0d6eff14e |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\tr.pak
| MD5 | 1525dd38ca529c56f9d3e08293385690 |
| SHA1 | e0dfb9d60a3469d701dcb9ead8f8cd2cfe6fd604 |
| SHA256 | 5a7e1c8b572f67ed40e9d5107ddd6f8791b03138bb9933cfb26f1678b2c4a9cd |
| SHA512 | 195ffc165e45a51c12b03252759c5e1ff684e57b5994aeca608d40ef6799f29812add6fb2479e8e8c1655799f4dbf29e47272324b857b9161ad43a1b271eddfd |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\th.pak
| MD5 | f9ff2275865f2cdebb9b0d19d4fb57a1 |
| SHA1 | e83c6c8e0005bf34771af3f1c0c9d8ebaa822f95 |
| SHA256 | 3d4556bc0f26b89d090a8a779a8fda8f6fbe157a23181cbfb1d6c67a6212b864 |
| SHA512 | 96f596bb564e62bbafe62774fba1cefa644feff47a331e54cd7dc9b85b29f2a2e8e785e85d90cccc27f9a1c735b0a8c6dbe01fa244601f1359194f64a49ee6d0 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\te.pak
| MD5 | 41e49a1ef6850d90e0cbdc720c45ea5a |
| SHA1 | a2fbe1585a1b653ac6acccaf6184ae2de3e007af |
| SHA256 | aa2b9d1ad8591e91872c3fee62b111b74d6e7e890a47d0bcc388947ae5245290 |
| SHA512 | 687ff66471248104f8780f142e1810ccc7275857e4bd188447d01cecbe74ebac4070ab135d4a7111bc5f4ae17247dd865f21a2d3e73031534dac1f5117bc4570 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ta.pak
| MD5 | 292f763cb8eb588659eb7cc25cf57d2e |
| SHA1 | dc42622f272843cb3afce9968146b85a98485237 |
| SHA256 | d5bfe0699342b8bba6c4c73c115b1c7f3f903c4ed95d77461c34369f2f60d5ee |
| SHA512 | 100ec32914f0d140baa414180cb2ba34e95f75ab73a0c036d6d5ebb64cc69b2b7c62b9e3f9de192bab8ddac3b387b953bed2ca1fd3bf0aab0198b9c1f2911151 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\pt-BR.pak
| MD5 | 3701247a5ac607053278aea185ee6616 |
| SHA1 | 8cb40ddd4865347677f8d327792c6edb69012f76 |
| SHA256 | 7f41c3a58d08d98f21232e7c85839c9dec0053b447bb4dae867d2faadb278d45 |
| SHA512 | 637070ebc4411fb92bef5ff75eff46602db8ed59021f37f1a0d8201093f047419c558ec1af49c4dbbb4f58e7169e2f2cf04af7e1d11a57d39ab1cf036cb8497c |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\pl.pak
| MD5 | fbc79131a645b3853b4fa97c2b589a07 |
| SHA1 | 91c6d4386384efa9074956b9e811a0aac385aa4e |
| SHA256 | 0948238576efb502327af4040c1d9eb1346fbf1bdcee35cd46746b170a7ea6a7 |
| SHA512 | 0559d787bb7e4fa32a70c19cf0d1b2962d3869363904c13f345ef733f1193c73a13bad9600d7a5ffacf60b92cd97c27e27f7c4b7e143d0925fb358498c92f8cf |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ko.pak
| MD5 | 54ace51d8b687e36a66a2bfde258a550 |
| SHA1 | 1b2fe7c62e3f2c7deede2034e44980e02afa3b4d |
| SHA256 | 8d131066e2fa004e11f9128162bfc354d3254381059d6c852bf88a55859ae3e8 |
| SHA512 | 50b825a88d646a32a4d620bcdf5ce490c8dfbea628c5256a6918dc647c42385f955396ec5d3b32cfdb50153897cf303cd517bc9f62663b14def2dae42229f640 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\kn.pak
| MD5 | fccd5d8ad5e1c774771b19dda55d9b9a |
| SHA1 | fabbaf469e4aec44342a7e6f74b837cde2203b71 |
| SHA256 | 47c77fdf73267865a025a54027865a8d67e26943264a43c6e794ccbd6eec549b |
| SHA512 | c9dc6cf0ff5a4094cc07ce4881319778a076b44651b16a220940d7a587ffaa92b6b80f7264605a3c8e6dd780e9c3d8e4d403d01cd8f94e0122ac19cd4d636aac |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ja.pak
| MD5 | e9133185d2339d0a2f68c4c739eb3615 |
| SHA1 | cfa6db85ec99bb38b734254b7d4a83d12ee5cd00 |
| SHA256 | ba2acb635671a48ed0bf8cdc6e0a0318cfb33eb74b4171c6b483b95f2a167bc5 |
| SHA512 | e89c886a601943d2089bad27ce9458f95929fd39fd2f88da0545f71e9d18a678eafc303630d0f94ab3af7c77ad19fabdb2616a2d004151232bc6ce1ae8e4c46e |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\it.pak
| MD5 | 8cde7372fc5095e581bf64fb77e04d61 |
| SHA1 | 0d30e0ae2c401a06ffb4056bab44d2b5d3970492 |
| SHA256 | d011fd39c3cbab740a7944a60a8dd48d6f76c563ea473cfd1f569c5e6fc9fa4e |
| SHA512 | 83778880ad95b39b5746d512aa116b05928f580f0c5e75b45cddcb80addb24cf079f73f65771e1d75ca18925ea6fdb86283aa060af2cd1308dee53ee728f76e8 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\id.pak
| MD5 | 366d1b2c3759d6ff9c588f53ec9a7c5b |
| SHA1 | e9d5c6e8311c6f7b7c4ad997db0cec5c11cfd754 |
| SHA256 | 0853a5543923b7a8db5989ebb8ebe8f9fb6271bfa59b94f5843f97de4401e2d8 |
| SHA512 | 879e72625fd112cec85a6489c590d7e89c65753d2beee259f7393e7377729d40bbb8cd0a2a9fcfde93d14c2cc9a97879312e60ab26035970a632e36d2f8d9e53 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\hu.pak
| MD5 | 2aa0a175df21583a68176742400c6508 |
| SHA1 | 3c25ba31c2b698e0c88e7d01b2cc241f0916e79a |
| SHA256 | b59f932df822ab1a87e8aab4bbb7c549db15899f259f4c50ae28f8d8c7ce1e72 |
| SHA512 | 03a16feb0601407e96bcb43af9bdb21e5218c2700c9f3cfd5f9690d0b4528f9dc17e4cc690d8c9132d4e0b26d7faafd90aa3f5e57237e06fb81aab7ab77f6c03 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\hr.pak
| MD5 | cbca0ad35cfa5c4b852cc8f556706b0b |
| SHA1 | 608d2e11a40e5e15a2840e248a249d1562ba9846 |
| SHA256 | 6ea4b1a28cf567cca73ccdb7eec631fffba3b49acc41e3c88b448514578d80da |
| SHA512 | 5b6f01c10d613f278d507d43fb0c708b32fd486d9b5a5f31a9837d0b1025da6ff85772b8f39e192cd8625d363be570565fd4eaf0f8d11c17ad6cbd956893022b |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\hi.pak
| MD5 | bc777a1010c846906d05d75d82f5dea9 |
| SHA1 | 73bbeeda37164845ca3f4f2827165b4023f8a194 |
| SHA256 | ccf7a557d0f8353ff3d656d4c2a4fca2d462ed2cc3d18c599d98f4d57b23c615 |
| SHA512 | e6a01b80adfa31fa93d48fc4f1ba9222d21b8ed7734e664e4f274843b46d826ec8863483c0e8647e39ad85988dfe0a2848d32a26ce1fdd8a0eb85e4fe64be292 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\he.pak
| MD5 | c6937badd93ff4ae6f6a2c9e31f678d5 |
| SHA1 | b3175d7bebe340ab08e0d8e85d550a076b073c55 |
| SHA256 | 3cd4440501bc67d0b2e33e1346ba133fb9a09a8762f2334732f8cc349cd840b7 |
| SHA512 | db232d7da04b4a854fd399fa04779469ec6fd0a752c4da7b2eed6d1aeaca4a096130fe326c91d777131d1a8ba32637d884e518f1522e9658d233a35e5eef9397 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\gu.pak
| MD5 | 9e189d21ad5843b69c352466c94cdc4c |
| SHA1 | 99af98cc510abe726b54f28488f647ea6f7d4c91 |
| SHA256 | 9c210e3143f99df59bebea6bdb6e30959f8520d59a20fffd437f7029840bb3a9 |
| SHA512 | c3007f45ec20c3c3e763f20be1a5557f548a28757cb032617c20fe7d44b7524368b75b8182de243048aa56b939b2a790b5b85cf359b009c4c20c41089e8992e8 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\fil.pak
| MD5 | d7df2ea381f37d6c92e4f18290c6ffe0 |
| SHA1 | 7cacf08455aa7d68259fcba647ee3d9ae4c7c5e4 |
| SHA256 | db4a63fa0d5b2baba71d4ba0923caed540099db6b1d024a0d48c3be10c9eed5a |
| SHA512 | 96fc028455f1cea067b3a3dd99d88a19a271144d73dff352a3e08b57338e513500925787f33495cd744fe4122dff2d2ee56e60932fc02e04feed2ec1e0c3533f |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\fi.pak
| MD5 | 7243727348009668ded33dd0109118c3 |
| SHA1 | aa19e2e340c8328132d12ff79d8fd6b02c512a48 |
| SHA256 | 6581fca26336f66d8ba898ec1253b237db30e7cd1a25fc788290d7ace96fa6e1 |
| SHA512 | e890346915c0891a9f49640f232f6633e25655b969911a6697adfea709cec59bb925678e0b97424936c59d523c3ee9e2dc23f115e20c45ca3ed51ae691d0d7f0 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\fa.pak
| MD5 | e861a65f12b38a3def1fe9e933cae275 |
| SHA1 | 8d083b5902a15a63ef11c7783f12e088d333fcf5 |
| SHA256 | f9a8e3b9bbc809f11cc3dc32811940e033bd78a31ec154d28321473f8efa1e4d |
| SHA512 | d1fe91c693c794b4a4d60560800c919977654832e8f6e34fb1ec0ffbf5c411cf35b0a0e22e036dca48a246ab8d6bea0427c5ceb232d460e9c59cf4163d55314c |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\et.pak
| MD5 | 8b3cb5e4b8ac769bde84e5c375c1774e |
| SHA1 | 53665908d6ec12095abd766911d8abcc84c6da58 |
| SHA256 | c351b84558214420495bed6d882d37496483cc66b0e10400ca872e3fc4145b66 |
| SHA512 | b0dff640d32e5c277f2d3441abf823e8859f28f215cfc63fde8a968cbc9b9531aa0394e10fa98284d186323e3357ea2265d762dc034be86bb50f5c55630ab4c5 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\es.pak
| MD5 | e42486833449ea57261d5bbdabb8b4e2 |
| SHA1 | 09734ed71302c7a3bf5f84dee1dfab7732bc0745 |
| SHA256 | d539c88c4493cb1d9eae600611e3119fe129ec95149049f4b62fc3a97d78ca61 |
| SHA512 | 8ad283323c3f2e7a9d2e33eb86c371be6a9e29d9243e0d74d5936606692367212f81825d5c313a8859ff8de84eb6d23cbfc577ca47185392da803717f29e8b24 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\es-419.pak
| MD5 | a510ff6703676bacde7e528823878018 |
| SHA1 | 6551a7dac1c3fcd839b8d7c6ca92470f30a93d0d |
| SHA256 | 77114f519743741a488a9b57cdc7190f0507c37dc3b29811704a048172ba6736 |
| SHA512 | e9b75bc92eb077db57f906ef544b2339c4eb4f6eddf65d2570c36a00ab4b8a167a53e869d81150a7d097ecbf4ba19625ad4228f133392cc850352fe66fea47e0 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\ml.pak
| MD5 | 038b9eb34737bf472fde68b91a40f122 |
| SHA1 | 64771e91d4fdac0b909c6f446cc2f310be7d1320 |
| SHA256 | 27b7947e36a521403de094cc563d5eced1e46f98e4d6b872fd424352f798e84d |
| SHA512 | 3c96b42ab838f2ad5434e719f5906427a5fb327967d04c8498f3af4e913de833ac9cce6545fcfe0de2dc920cdf54c8b31c1d1527f609f90bcf9728d7bdbaac7d |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\locales\lv.pak
| MD5 | 4468d6a6114d5a7ea3c1173ae9a8250d |
| SHA1 | ef664a6a140fb7a244bce44ff8c73250856d8061 |
| SHA256 | 0ff66161377be2fb8b2b456a64dd910d8375a2b9f1f6f22333540a77111903d6 |
| SHA512 | db4179b53cd44f297f5455a167ceccdd2a384c5296311346fa53f15ef5acab76cd166df13dbdf22b0c85a66455f22218e88c02fda2c5e2f863b9f4e7ea6e9a56 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsi8221.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\6796560e-abd9-4823-9b78-6813151ef2d3.tmp.node
| MD5 | aa8da32ebca307d4f99cf2da290afd22 |
| SHA1 | 8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899 |
| SHA256 | ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db |
| SHA512 | d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7 |
C:\Users\Admin\AppData\Local\Temp\4d4696d7-9272-44fd-8827-c191742215c3.tmp.node
| MD5 | 04bfbfec8db966420fe4c7b85ebb506a |
| SHA1 | 939bb742a354a92e1dcd3661a62d69e48030a335 |
| SHA256 | da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd |
| SHA512 | 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65 |
memory/3768-568-0x00000188CDFE0000-0x00000188CE002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xogcoy1q.2ti.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3768-572-0x00000188CE100000-0x00000188CE150000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f69f145ee494b2d67c5d50108c862d4a |
| SHA1 | 68f36b9bd553beb2a7eec5f4a8fef317703c77e1 |
| SHA256 | 06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7 |
| SHA512 | 302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | df739ecbffb92fdaa51ac0793434acaf |
| SHA1 | fdbb8742670c2db6b00d45ce5bd8c19bf17536ac |
| SHA256 | eaa1143dd26a969e19beb89528d057f6af4d344fe540820b81f1036b2c0fcbfc |
| SHA512 | 5a8ea65354e14fbf9011bb0e4cc1625bc245acc3fd893970cf0f64f1625d4c182518fbf679365ce9dfbdbbecf1b48e9004010da6ea4b5fce098532f1fb39daf7 |
C:\Users\Admin\AppData\Local\Temp\2hJYaD3I6jrGKc1bA9tqqB9eokr\xx_lol\Browser.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/1524-606-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-608-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-607-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-618-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-617-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-616-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-615-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-614-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-613-0x00000260A2650000-0x00000260A2651000-memory.dmp
memory/1524-612-0x00000260A2650000-0x00000260A2651000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:05
Platform
win11-20240508-en
Max time kernel
144s
Max time network
159s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 3868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2244 wrote to memory of 3868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2244 wrote to memory of 3868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3868 -ip 3868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
85s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\es.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 199.232.210.172:80 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240419-en
Max time kernel
131s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\el.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\fa.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-13 02:00
Reported
2024-06-13 02:06
Platform
win11-20240611-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |