Malware Analysis Report

2024-10-18 22:29

Sample ID 240922-bhe16svbnp
Target 3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe
SHA256 3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30
Tags
execution discovery zloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30

Threat Level: Known bad

The file 3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe was found to be: Known bad.

Malicious Activity Summary

execution discovery zloader

Zloader family

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Enumerates processes with tasklist

Program crash

Unsigned PE

Command and Scripting Interpreter: PowerShell

Browser Information Discovery

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-22 01:09

Signatures

Zloader family

zloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win10v2004-20240802-en

Max time kernel

151s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
PID 3316 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2124,i,16807973909957545211,8435006259466585728,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --field-trial-handle=2344,i,16807973909957545211,8435006259466585728,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --gpu-preferences=UAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2812,i,16807973909957545211,8435006259466585728,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1060 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2116-7-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-6-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-5-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-11-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-15-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-17-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-16-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-14-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-13-0x00000194E7470000-0x00000194E7471000-memory.dmp

memory/2116-12-0x00000194E7470000-0x00000194E7471000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win7-20240903-en

Max time kernel

4s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1120 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1120 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1120 -s 84

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 220

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win7-20240903-en

Max time kernel

122s

Max time network

144s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0ef91488c0cdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73A89331-787F-11EF-BBB7-C6DA928D33CD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000e294d3393e730f7045505b2bc2189062330ddd42d62eee2032c7ec0d598f4c6f000000000e80000000020000200000001ae0698087afb455afde832cd8bc7ebe06571c07e3e9d6a6fb676c01e3147e36900000001d26a88c1e8c9f34f58cbe93918761c0aca939a54fd3d891a41cb278ac71ab56f4f132e65707b4446066e58e2f9b7296a45adad9189dae32073de16575f74ae8604a39b5572616019c41c7d0d668efe20b8975a4f29bc1c269159cb90ea71691e77bc2e0e96370c9d26988d6d06eca4550490765cf726067edfdfc9f7d932a54a7db98c9871b6a96109853f467769f72400000006414b6a87bc2a36442bda5e8c6293ef5d2da3e7a58bad56b2c1bdcf96fa4f61899fdd0279dff05a875d5e620c1376ce7b6fc207dcb314bc58e5223ede1b080d1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433129306" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000714cdd5b39ac21a232f9a633566278f885dfc3f4353dfc8226cfb67b37e00cdf000000000e80000000020000200000001ef15d599332605eaac6f02ba8d82efdbd2cfb1ae6dc5f36802869c6b21c494220000000e03c95f2d23a011da7f0da16d0712023365cd945139e98108bc032c2947f94534000000089a00eb24f0b55c0417231df8adea1085eb71022c4be00bc1b4d8657229a2efe3913d0d14574064956e6f030eabdb5fec5ace66ed4dca266ee62fa8e859962be C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1B31.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1BA2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10089071c4dcc6db1b7f4fc2a40f947f
SHA1 1b99c4563130d981947ca0b7ff975cdb96dd3d56
SHA256 ccdb48373acfc72d709c491a687129819270a7a0f5da434bc5c9ac033d02b646
SHA512 0545aacafcd29b9cab76c7796a9d85d6f4bedd415e6ce8f01de7968b1068ab2cd581dbbf84812eb8c7d783793e9507a4f4e09be8992df4dd645915ed2f50eba4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4712a1336cf6353853cbb9b980b416c
SHA1 4b2515601ecafbeb13438f6218e585e61ec34d0f
SHA256 70f5a700fcc8a0f240dbd5c81528c35cf9d4e72602824a94185c3843dc0321d9
SHA512 678001949d603464e80bd976bd2e259010e64cfc04be48918993a984fd06539bca1736aac4ab45bf1fbe23a04a1b52bceee9bbe3943a1c3fa04a475af954e226

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a08dc6e0dac7f3f494368bbf396d1db
SHA1 ec9399e4df60b1c5564d18b74b47f9340d8c0ef2
SHA256 8419ecfd0cf773f110b380550c8669ae4b5854a0546eade5faa73fe571e0887e
SHA512 b2cd192b633426c1dbc5d4cfd29efad57b55dee1f46646172d2cb12b6868ff6a20efcd946d15197bf49453d2d7881e8b836b39c01f2d18788bb5f9cf4ea585fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce3a261e59f77ed03b5dfb94d3266a84
SHA1 bfdef0074f98fa731b65d11d62794aafe10694b2
SHA256 5fdecdf4a931658ecd90389d2d03e8b8f0045601119e3a21daf6c987594baf28
SHA512 993a4f89605e6eba67bc0801baa5bc187ed48bb83c8db2fa6a996e7c012eaf470b705cd9487b61fb685f6de578a00f29dff7ebbfd56873665b8331f0fa5ca0a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 662b3f85f3a1ee37a97081467094d14e
SHA1 cbf5a7267c010c4f326d0335a084ec886fd27782
SHA256 64e5203eecd713658090307ac095a66e9595fcaee6d43cbb2f9d6a1062126912
SHA512 cca3780dd941cc73d0f963e79740ee3e6d4b6a34fa5312c4532c833128db1aefb0b88513e5e3ff3eb1b5d3e26dbe792985910414114f93eeaf71eac864a31f7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c3356bd6b5eb93015b59590763f86ca
SHA1 9a6c57eef39d61c14d89e561b7ab19d25d39f3a0
SHA256 23ba7148f5da837ebabfc0421458b2ca3902787b188d9662d7d014e3d977b364
SHA512 3711b529188367d6ef5c64d6f5634be1584813c0f17f0366e6610146a024ce4eccf1503ca59fdbe42af98695fc096b7eb67cf3ba24ce29353f3faa753f15813a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 066bba888017fb1a1744a7ddfa5e3f21
SHA1 7f0cb50e8f679f21d4d11bb6e99d71cf8fd1935d
SHA256 27cf535eb9b06a2a2f95affb11eae521bcbe6dadcb73c219abd5441a81390f30
SHA512 5a0b7be69c82237a73477e1ce0bc1aae628aab29c1a6f155182ee7ef9240785924f37aa8fd5998150b5e0d42500e23495464d35ae617175a3a3de3aa0a365808

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25de3b72a9af64b5a77fb2486d6b6529
SHA1 cc013677cca02cc1ecf3185a13fb9bb65474260c
SHA256 9ec47333a6dd4226685f6d45f1f3a6b6f15d8009a6e02f3d9b78facdc4e54d1d
SHA512 6e6e77ee5660aa0a750d07d52137c57153ff806271e9e710d93b85d85eaf8f999b7bf563e5301c468472b14eba703e7d8d6edb2095a56c31aba5c0bde43334fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb594fbf840567d67b3a6196973b62d5
SHA1 568778bb9f8765e863e6500a295e2f9004cb1231
SHA256 45c6244aedccea8b2b06b0de3cc040167c3ca2e6bc405859a20c972081c23047
SHA512 2351bf1b2d3baa174f7680acc8feaf7d3babbc44a67d8f01fa37706691ff72442a8c8b451fdf34eb85143a40ecee3dc3bfd890e038387d3ab723b9e033ad298e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35684689bb0ac707eba1cff9c02a7fac
SHA1 f74ac803782bbbb6f63b28d9c45938dda5a5c7f1
SHA256 5e0cb390513e67b9db89dc67c98f97204bd6b1514bfd5b879a2e66b76628f2b4
SHA512 ce35cf503b5ed76de4a4d0b8d3ba58d2090a6dbea1d3af54cf7fef19ca812093970b7535bee90d79707ad32c8ce3e289ea083a3255d13245a00f2ea6ab0875aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59e3181105530010be9c946042073133
SHA1 53d47712cc08819ba51508acd7b7cbb719c30c76
SHA256 7faff62a5f53355b310cf566635cf36c73cb1757b7159780e7d62b8ca220528d
SHA512 432cd11b9ddea75f7840d20fb444acea2d6c7a78b384329796eae279b99b892608d049f94ee9787bb5ff5402ff48c4b22cf370ac3096b6411345c8dbe8e2c1e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a1315cb02ba2ae6c5d1f7fdee4fc27a
SHA1 2040dd628133630ee0af3688d4f73251635ade84
SHA256 e976da4906103d310dfe9437fec92d08d1cc528e75da0f60be2c972205091495
SHA512 2a11fe9fe24199c3a6ddd636f15871291b7bf6379976f122d6e4b8081ad870c39db92307cd5667b6d7284cfc9146f9632bdcef8fa6b55874ca61163d43df04e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c277d934153e5b4164df36c58aaa37f
SHA1 37ed8df2827bc2ca69a4870116dc98fdd2acd36e
SHA256 199f1dc55e5c4cc8593b21c6dc2a21471cd4d9cab4a351d2f6e6bb5b9a5b9e9c
SHA512 1d091957d985d4de881c1f968ac73a36478436e761dc033d8a1c1841b02aa7e58a4ba98bbf4045db8431440a0cb5f97adc81604129c3ff23ff9bcb91dbec4aea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d00330e6930d4e1b5ef1a9276e140a34
SHA1 e255d214a578afdbcc2c0d0f0c9ffdac2a454b0f
SHA256 5e492099fd5f30edf23594049b79c57ea84bed2299ad7a3c76849e438b51dcd6
SHA512 2b6c1254989dc0a60b7b4657205d16a7e8495c1607f5a30d2424128944ba3a53a17c2ee524bbb5df25586231351ca0b277ca11cc908c03725dbf95fcf1746617

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4a9931cc917c6ddf03e01d075aed65d
SHA1 396c785bf0509a315fa6b21b377f0bc3c1c60d20
SHA256 04432921a491a75396f1e2a43ee0a16f19b025fdcfca1fcead14965497b6de28
SHA512 093d12f54b944a95a297e1e432ba4e291249390c234577f1c0b42b2f5872c455692162d4a97c9d7bc7c929bf974374283dbf6c98f7a5eb02eb3bda86310fc6e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d9046d2126f153e3e04160a5f31570d
SHA1 f943f4da0bff1c160e0a61acfe7d088d32aa571a
SHA256 f34796d6a47af2e942a01d71b8a79bd97f86462874a399f1d367157208176989
SHA512 7895d686cee787a93584d02c4be189d5c9a313786cb66d5153e4a51515a7045768ac431e378bbdc4127318d13a60bdabd85333eea74f109283a5bc026604b1cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73f393148d7948d9914009af54c19092
SHA1 88ccf1dc2c124b4dfd3bb128e95beb20247ce4dc
SHA256 b61b50cdcac101106c8b3368fd562068d62e02febf74eb19f4aec6e50d62d87e
SHA512 a1caa08b5dbfd0e6b85d62687b26bdf64516e9cabbcfc0907c5b0acdf5e025a218c52cbeec992eb51804994f3f291c9fc4ea7ca3bf89cd2a7c27e2168aacce2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8985e29657bf243acb1090e409c13dec
SHA1 9acaa4732a4be6a329acc15ebd24b51ac3be0e26
SHA256 df5f856460741384bc969e0bd03dcb311a68ad72cd085cdf98937dc96ed1f549
SHA512 3cf7450271d9265c381a1162dd272b8843021655a764951fac95f40f4a17098557291bf20d27762d83f7caee949b51db063648ec8657e2d1234cf05c40f0378a

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

debian9-mipsbe-20240611-en

Max time kernel

0s

Command Line

[/tmp/sqlite-autoconf-3440200/Makefile.fallback]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3440200/Makefile.fallback

[/tmp/sqlite-autoconf-3440200/Makefile.fallback]

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

98s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\Replace.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\Replace.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/sqlite-autoconf-3440200/install-sh]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3440200/install-sh

[/tmp/sqlite-autoconf-3440200/install-sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 89.187.167.8:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win7-20240729-en

Max time kernel

87s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 220

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win7-20240708-en

Max time kernel

14s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1328 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1328 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1328 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1328 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1328 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1328 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 3424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 3424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1572 wrote to memory of 3424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win10v2004-20240802-en

Max time kernel

88s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/sqlite-autoconf-3440200/Makefile.fallback]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3440200/Makefile.fallback

[/tmp/sqlite-autoconf-3440200/Makefile.fallback]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.20:443 tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

141s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\aclocal.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\aclocal.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/1668-0-0x00007FFB1C843000-0x00007FFB1C845000-memory.dmp

memory/1668-2-0x00000205D24C0000-0x00000205D24E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwmljce4.cdx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1668-11-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

memory/1668-12-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

memory/1668-15-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

memory/1668-16-0x00007FFB1C840000-0x00007FFB1D301000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\configure.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\configure.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2916 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2916 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2916 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2916 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2916 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe
PID 2804 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe

"C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq OGFnPatcher.exe" /FO csv | "C:\Windows\system32\find.exe" "OGFnPatcher.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq OGFnPatcher.exe" /FO csv

C:\Windows\SysWOW64\find.exe

"C:\Windows\system32\find.exe" "OGFnPatcher.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8

C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe"

C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2204,i,7888669344296947698,5569408338875728336,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:2

C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --field-trial-handle=2412,i,7888669344296947698,5569408338875728336,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:3

C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --gpu-preferences=UAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1900,i,7888669344296947698,5569408338875728336,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1100 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Programs\patcher\chrome_100_percent.pak

MD5 3c72d78266a90ed10dc0b0da7fdc6790
SHA1 6690eb15b179c8790e13956527ebbf3d274eef9b
SHA256 14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7
SHA512 b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\chrome_200_percent.pak

MD5 3969308aae1dc1c2105bbd25901bcd01
SHA1 a32f3c8341944da75e3eed5ef30602a98ec75b48
SHA256 20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6
SHA512 f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\ffmpeg.dll

MD5 ed10fd2777a030b2895d2f555207f1b3
SHA1 81448e7a72e49eff746abbedea503139b7eadbdd
SHA256 996aed5bb751d70e215bcc3e5be2ed28fb54412af05031c592df101b51232e0c
SHA512 435f33fd11fc25a495726401211ed87771c831eab8916b8bb9520bf0f799646f911b22716f090849bfc85e2372cd28aa1c9de46f9d613929993ef009955173e9

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\icudtl.dat

MD5 ffd67c1e24cb35dc109a24024b1ba7ec
SHA1 99f545bc396878c7a53e98a79017d9531af7c1f5
SHA256 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512 e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\libEGL.dll

MD5 e3f6c7b1316f7ca06ee178377ce16ff7
SHA1 f546da89ec0d3ef238892be8f2dd697d411518bb
SHA256 ff6d4f18492a704b4b9d853abdcc73a4fa561b0c685619508e25afaf4e4800b9
SHA512 cad4026efc48192c4904a4b0ec583d2e24b94f8a5f91824716eddb32477512799b10a4f9cc7a2976a25ca0d333bb1c68bb98b1d0f9bd7020e0e31be7d950720b

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\libGLESv2.dll

MD5 ac216b22cb7ca21d9803ae6b111792e5
SHA1 f6678626aa522628110315889ca744572549bb73
SHA256 3cd10952ba73ba4a36f5ec92dcbb0893092bfc8d77a381f6f9f3090b0ecfbb50
SHA512 df344f79ff5d4e38b451bea948c234b63af0402565097082a082b44a4efb9e0ed367884875cbc817237b7ae7ac126fc7de0e8615504923b8db553c1a3a985a90

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\LICENSES.chromium.html

MD5 f017c462d59fd22271a2c5e7f38327f9
SHA1 7e1bbeea6ac2599bd0f08877aa5811d32f1aceb9
SHA256 40f314c778851106918aae749d75b2d913984327602a1bfb7ef0cc6443ff2a37
SHA512 72177281486f6ec26ccc743b43481c31470c7dd53f17b0a67ac087dded190c2e3dde5570260150c2e9650186a515740af7f81e31965c95bb762340f9ac100c07

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\vulkan-1.dll

MD5 8f939b8bbffc7e1083e938adc4b5aea7
SHA1 ce03fd0ec3c11fbbc51b6fef044bea7915991aa9
SHA256 7d411fa0a615d0f67099fc3978b3f07e28565b9877cce02ec239eb228fa4d485
SHA512 bed9ac52e82dcf3e8233d90f1f0986ce6371338299a7efc490d89955d869e2b16874cd2258b4217971269f19fb1589530fe2d870d65610a878f2633f0cf4e0af

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\vk_swiftshader.dll

MD5 ed0ffde1854aa8b1dc64835b48833d32
SHA1 5aa09092b982e8ae1ca73f713d6f51a30248b64a
SHA256 1a24356be288e742549a20c62de9259b2e1cf8bd560151ff7a24d4ae1a4652a2
SHA512 59fd3b9153b2d777a707c7f2aedf2b7be701c18fb1b9e79d32381dacca22768c6461c575271aee960d7c41fadeba75f8cde41fc8a229c2e49823bbb5853b69a1

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\v8_context_snapshot.bin

MD5 8b8485c02d1fb639085dcb2b1af02c6e
SHA1 fe4e7115aef2c161c5995a621bf614a502f04910
SHA256 98c18470926e12def4c39163c5389f29c5df7d2a41bf7353a75a7cdc41f1a90c
SHA512 c2f24848a75c5330d1be5bde3213064f2b0feb13b8708d795249961605a09913aab1fc78b850f4ea3f7c76c74a8238816f5654a4fad5c11a78ce86b8b9cdd521

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\snapshot_blob.bin

MD5 7ad5356f81d38002220b82f64cebe230
SHA1 11f047ffb7b90a40ca17c796b0a306d4b250ed7f
SHA256 31969e154d3cd857d14e9d8edb98118ad2d5e9e9f1b77f9085626bd500e34ce1
SHA512 862d0027b13ef4527a45b010d35142583c1f02f7691b093774eb5bb066b623ba7b8c0bb65a2e75641381c8ffa6a24c7116d1a9a984143ad13d0a0d61adfa3c0c

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources.pak

MD5 d3fef960b0aac7b5d40e37b09f91f9ba
SHA1 dc5093fecf59150877f439a04bdb3912f13ed905
SHA256 c2dad6a9f8bf1b552fa94a51cadb6ed6a4e5a6455bcebf3c2888f0a6a3d6c8c2
SHA512 5be574b28b67ebd13acb764e15aaae6c3fb861a1cf16e4132fec8fe90b4fb70d49314609bd173c8de6299531f5520fe95ae080112efd2f7e89a6e174532bc458

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\bn.pak

MD5 ea7cf62cd5373f016ee15773394cc33d
SHA1 582299514e86802707fd6e45a170da7a5b5f3da0
SHA256 dedf3a8c24b13eafd99d9bc44dfc4d7a74f01eda532e05c8d61b4457f348fd09
SHA512 482ce2f374e5bba511e60843736811ab1f8d3aa52a020c78505e95b1ad0a924531a952ff792116ef7ef55cf027640ac88885f13513757c8883b37d7ae57c9a13

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\bg.pak

MD5 78209e3acd074e521b73382ec462e497
SHA1 b112c4ced00c140410a1faf8204772d1fd14abed
SHA256 086e2955bc5dbba52b0ab055bf788bd7852a851a29bf1249dbd134713f04e6f4
SHA512 789f13ba6b98b0b181bbd75f3a099a39d33b43bd6a0172688da570c3087cdbc4975e36e5c40f0f3298648dfb777613b0b2001d6873a2c6bee41e82355d960fd9

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ar.pak

MD5 5fbed215d9555f2be88e8a41407a0a72
SHA1 744bd7b5276cd4e69a6610d35e3c9e5d62dbe49a
SHA256 5f1b06de1f8105ccebb79651781fc219013048951a6e1b15a2c4f567ee45e88f
SHA512 0c0d2d1d3d07528afecf1862011ce2ddd27c9c286b5edeb03cd80a9ffde584bf0a71ba6292c969e3261a958a9bfddd291746253268479c090f54559720dcac36

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\am.pak

MD5 99f01e85f82f70b919f3de6a29bc2255
SHA1 bd229bbb9a15d128d3dafb107533ed2b74e0b778
SHA256 fdbbf59c2f6d4e9d6bf8bc7209511850bb337b0a49a25d39779bdd0e105f1682
SHA512 b3b7199f60af430bc98fc937e12b0a2c67b446f0217e01b543882313336f55def3cc6317cf1ef49766ceb1e171e70cbd78e8acecc3cc1c8409e76f4d98d347a6

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\af.pak

MD5 09455048c30cecbb17d6e0e95e4c01da
SHA1 6572850b07df45933ed57754f72c44895a7ef662
SHA256 e973763dcc0ffd7a5afe0a62ec9651c4c3db7fe29a23797fafc34b83512d03aa
SHA512 f59b68c213815ad81379c964abe6597b900b9fac5fe17e2cb378d015c4803f96b598ef70333d594599b3283a88a9ca9cb2475afc2590eda2ddf7b041ba2368e3

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\el.pak

MD5 14f52763959d29febddbe25c86336e70
SHA1 dbde678a721d4fba97d5bf2703faac230794128c
SHA256 7134776724c07c2df17f6ba0c3c26a2a536d512e913d1d9c5585e600895e695a
SHA512 1f49a299a9fe76ab93a30ac17e1bbf3eddb20c6278740d7739e0044f867f35e65a0cd98654ab0ed60a43e268eb7258768cb8f35a254fbf31bf22ff4af7c3f96d

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\fr.pak

MD5 1904b22bbb5d52255f80c541253971ba
SHA1 0ead9bd15bd115775728a6cada2136367fe34b87
SHA256 25eb9ea0d0007b5d4c5065fb77486c723d718a1496aa52013d1ea098987f44d0
SHA512 6d4f4a9dde7d22624ef3c28e4cf4a8de8255125aca0c5efca0bae69f040aed2651649f415acdf491593634adce0e4d88ee6439705115bfec25caae34a57f1003

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\fil.pak

MD5 4462eeada117fea1198a3a9cc370e8df
SHA1 c8b6f588ab35f485b88480e58db59c7a34c4ef0b
SHA256 db27ebc5b34d14be370e7068b4bab4fe12fdf090bc1a4f0bad81740aee974695
SHA512 8a69a11f33ce1fdccb3aa7b1dac981f9d6c9d64669e3f97265bef5862e20bbc62d568b8e64fa33cae3143096b009ecb904f0f32f6dc593a8702f94d4e3f52d20

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\fi.pak

MD5 15b4ed60de11e5fb956d624032e8b242
SHA1 94e7f2b7a62c4164511be53d59769299b8a02185
SHA256 f040febcc899b194a6908419b4bc225ed3d53ec478988ed7a50e8438c80d9606
SHA512 c67e22f75820b921f8519ddf064a0fd7d93abf0539b06a62592ad00ba9cc237b1297acf5eba15f7e1444916e90c9dc89e116704866d242d1bdcf0c90cb8c0058

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\fa.pak

MD5 99ce096115521566ffc685703f9cdbfd
SHA1 27cccf6b8f6939d17da4b884998e577392b97221
SHA256 645a43a0101eea39dc6b29ffd71a4836a03ebd7070e61aa962025257aea59375
SHA512 42df640778ae722b82a62e527711a57c883e9d315d54ea7e484d7a8f631abf3f5ea1498d6c5cbd004fe971fd357a0b8d40ab4934fc84e03565da3fb0b23184c8

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\et.pak

MD5 96febc2a296af99758050eef3ed97712
SHA1 26f8751ccfe0b1bed9db532dbac1034a02b7f48a
SHA256 678e50d9785c14f205baff60760decf64f765a98863e000abe44dcc6f22b5d0d
SHA512 bfc8a9051360338c61dc46040b006808b57ee20ce170c4645bf5fd83a643c3107bbc1752fd2486a9ab8250a84ff0cf832f381c523cc49cd08486eae489c4d45e

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\es.pak

MD5 070cbd6f42db1cb9b6a2f74e03d6b124
SHA1 f8830e1c8a601123d85fd75188ed01833f910691
SHA256 91de93a4dc9c9276b9ee3ae498bdafaa55fd464c1f20fdaca84c4b79842327d4
SHA512 2ebee4e289eb2a19a97c86d1abdc1ad53c6a76b8c1dc28fc89cfde236c4abfbb823bf52573cc0848fd76ed9e0ab2d49def542837bc5c474ca1593fb5ed10a390

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\es-419.pak

MD5 76c82bd947c7d32febb2aeed079de39f
SHA1 e4b8238dcb0d3ffdedbb8a4fdc62ada21b03c659
SHA256 89df263a85ccce719cf2b1a5bfb3b2bec5f6f48d0cf1b7ad190b34992aa8309f
SHA512 5179f1cc0be2a4ad441c08102cbabdd3026ae07f430dfeac2f451863235947d9ff1ef78a8c72ef503085c8daf831b401a58ca6e6b077c7584c50b50005c7c868

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\en-US.pak

MD5 d47cded365a28d27906414035c1cb3ca
SHA1 429123c86f6ca48a89bedc9a26027e01508e6db9
SHA256 46958caf9847e33a11593ad024d5a95cc696edcd4620cf07e7b2b78c72b9c00c
SHA512 1a16d784913fead116460c9ff42e21ae482865cfe2d6ed1b1296496e46a05e513f8d048fa4d245e7a82ef61de4c4130696d5b1c647c918995f6877a888bd0853

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\en-GB.pak

MD5 513c735f8821cd5b8beee4f1c9f976d9
SHA1 2552ec0b813aa12b464d813d450e8b6bbc640555
SHA256 d86bc52d844b9706cf9fc50e7c123ab9a6372dd3190a65a88bff7d57f64af362
SHA512 9482f73155c0a838615ddeb4ea5e2db86f12d973c2288922f361de27025f49f714cb6db6eca09a4ef6abaab6b849800850fc72e5bd1314ad3262da66d4dc6b5b

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\de.pak

MD5 d847de7e4970ad17615f7a454be60d06
SHA1 e6cd24f4ca42499c12c92f90077977921a66e016
SHA256 41e503b5e5638cccac6b0165d6c2d2b583e3a6190f3b1dd2e8dd25494d3bdf96
SHA512 ab782cdf2fcf20d24cb3cb3c70989901146709610809a3ecb0ba86b312f11c5b1fca3d66b04d6a6ad3f111f2f2c8749da9d1f8d1ead08c8e7635bd6f1f6a00f0

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\da.pak

MD5 96bbef1eee0b0a197ec834839c00e11c
SHA1 35adba0aafbb4d19015e11dde1f37de87292252d
SHA256 600e02877374dc083b21deb3cc3bf6a4e3e2b2c581a631955494b0591c56289c
SHA512 e1ae7ad30735b6c42f81d30d50162330603753b0ce7705506918d0bf3bf9a52ac60f8fca570cdfe87f0d6dd46cfa3064d5a1526d39d81a053571b434b1cbffe1

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\cs.pak

MD5 bb1c4ba9859b0a43a42021f39b8b750d
SHA1 02b2505d3955f15b6655bee9c92d7bbfaad6ddc3
SHA256 814990ab6af4acb4acd44b0f07fafd4375724facf4e3080014ce7b8b9e935fb9
SHA512 941cf4d334dbea7cc790cb8ba11e959d5a45381e7efdbae1e659d27540fd80247bb71820a90af6164d76cabbb283dbf3b652c29e0ded3832dcc21e3a88f7d0b6

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ca.pak

MD5 d4f81d8d816d93e8e6ec3f82cd8f12c4
SHA1 2cc552022a6963f6bab97e41ecd78bb945a2ec34
SHA256 50657071f311dc06c746346a25d10642f182519c1eb3ab898421722271bf2c66
SHA512 b344d5b336699f5efa4e235c7f67ea43278b348df9942f7a86ac52e29172794672d71e80501987867900ca075be0e47228f6cb898a39b66c80acbd0d9b14b371

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\he.pak

MD5 41227774510c0d2ea4637dbffe500000
SHA1 3d8a20158dee92d5b5ce1a2c852352a50ae62282
SHA256 90f11a1c09fcc4a5fd5d6f753bea04af93ff8ddf4372a5f84a15fc2ccb444c95
SHA512 40e8a5d8c3e1b481074da9bb48ad82a64849386d9512ecee8fd426d6def32a8930fab316e3c5d686d7706b6bc975913d7d75e69a0c150b74dc8bb45620e82140

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\gu.pak

MD5 cd212ed25482d2b5a246440b62c4fbbf
SHA1 197f3616dec4fb308e0ec5a17458ef8a2d027cd1
SHA256 0e8762ac08963088c33b74ee790df95370bbfc298bae8abfb87eb1307ef46d37
SHA512 207d3e9a6bfbd3eb19cf53a0a300eb0172ecb872496d627ac5b55b9ea11d52f24f01393893450fefaa3c42bb481129d54e552679f2f67a2af0e117d12464601d

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\hr.pak

MD5 62bda7cc99b6dc1503332e752f87423f
SHA1 0187ca29d12971ce201d5513e45648898806d701
SHA256 4171bbd2229ed5a7638b74e32d7aa0e643cbc99051d92a80e7da5a31400ae69c
SHA512 6acdc6618bfb1d2ba7ce912f959c25a48f987dc6c6507c8c5bac22988ddb8b2cbb8aca8fc3d40b2e8b7b6fbd417bde2de34b91b8fc778ba78c182aedb722be06

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\pl.pak

MD5 8cea9672f132573e143fc742ff1f7d00
SHA1 2eda91defa08ac7d27c082e4b85120d347dd39ca
SHA256 6257145654f4e47c21ef2b91fe69fc386c1e228a89a658418532a2934433cd7b
SHA512 25579e0535569f0a2855d02df0e2b36dc391a0d3cc54d2ee2b23184836caf8a3ec4c590704a9604666307e1e6e01d72311f76bff7210cecf18ab20d4f3c309f0

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json

MD5 174bf28fccd7fdb6f0766f31fac3060d
SHA1 655f465658957fbdf935fcb7df0b97c93807147b
SHA256 91008a93e604674024bd65569670af5b01f1e4caf86cde50835ee58f59a5dc61
SHA512 fa1be386a3d74767731aa5ad44ff4d89fb456e7feabde2a6e6f238ed4608a80962cadd6b7ff96f15e306a8e819221b66051fa5a7b0658ad52a2efb488492ff83

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE

MD5 79558839a9db3e807e4ae6f8cd100c1c
SHA1 ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2
SHA256 7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c
SHA512 b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar

MD5 feba07fa3221979f9961c5d5c24e508d
SHA1 b316be8390e8558fd607ffa3d08acfa65c0be008
SHA256 7f7b8986bfcf882d8d13d299db2bdf4b971084202d499d77a070d13ad8b20f85
SHA512 2ff94d45be7239563ac9fca3a62a2ebea59e39c0451e114b9e291b228cf573116eb1e9049cf966382c172b79c215f00fcc0d97841641d54ef6ff8475e4ac61e3

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\zh-TW.pak

MD5 fb25eb737df0e863cd83b0472249b64f
SHA1 3f9d0d847bb9eea9bc5c89371fd4665da1a485f0
SHA256 f1bd51245e56bcf324a8a94c4a572be031f2fd0db4d828471e563f64d8ecc79d
SHA512 075bb8edd2743e980cb842ad359a16023a3280c560ccdd17150e7cdc179fbcd0de3415ab591d7877ac3a8dad84fe8defb0059fa0d3468553230d27b7d1bd7c03

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\zh-CN.pak

MD5 6e7c237143cc765ac3abbe0685fa2afe
SHA1 40166c23aa75b8079ca16db2f5bcc938dfac312a
SHA256 9cda0f5736ab40650d10dd93f35316c45d5db9c596b270a9476cdd19d624c7d1
SHA512 2c2b6c50e52e1613f1976c86670dab5c4a7b06ff1746da0737bcc72271fe7531d8d909de2064cc2086c4b04352325fafb9c8bb181bc074dd62ba0e7a607fe011

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\vi.pak

MD5 8f8a783772b0b3ed9e1858074a3106c4
SHA1 fdfa166ddfc0e9101bdcf5e76d422b29444d4772
SHA256 ad778e5e76648700192dfb6a27c6be743935de00e3a75f208f3c1d3f6d3fd1c9
SHA512 690a006b94cc8a34ac0fa904b2c175688cd1468385537bd3927a91550c137086a8ce75a2794be0126bc0eb44a498b01bf94c05237895a82125016c7463b4f161

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ur.pak

MD5 bb7d36ea38a066f9939b858ca3bba8d8
SHA1 78a18e7d6e82ebe9f99161432ac0363928d2c2d1
SHA256 8ab35f7d357a38922acc42c663089ef4e0ef42ce56e212c26507bd110c8e8967
SHA512 1b4a82c5065170c551de28812f6c99cd47a22209d97cf0723197bad15872d98fffba0cdf4db87440a84fc9cd0d2a3cd771074b254f12fd7658e7f9aad732a854

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\uk.pak

MD5 7d6b378c369e8a132a1134ffb3921d26
SHA1 1c3c9c67613a4798ab2d4bdaaa0fe5ad80eee876
SHA256 e8ffe116ebbdaace51d9e62fe3c119eb354b244a8395f82d61b67dc8e3b3abb7
SHA512 edc526149fef6530c25a13725f33f7a4e9bb56b1b28fb1936609edc4c195153d5276d4ff61d7be9c2cf99835273809502168d7c8b0049c6b670ee226eab8e6ff

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\tr.pak

MD5 d03ea83a0ed60cdd6607d16cfbaadb7a
SHA1 8463e4a4985ce85efb7b7b1b54e384f7043dced9
SHA256 5fba0fce51cc3f9767d2cfdaef1192507f18b83235879aacc8f63b30880c8f00
SHA512 3c7c7e6b98372bff436acbb31f4e0205c8b797221162f969464dad88fcace1d5f445b57beef96526c1610cfb3a589aa5c120fa6cceb06dc6bdaeddefe8de72e2

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\th.pak

MD5 b60a9df804f0f3b0f1c11f1d6bd9ba7e
SHA1 104970e408e1a138cac373d2938691f82ee8e52b
SHA256 6cf15aee57658d55ea0ff07dae2fbad7981093e7acf54014347307e3bd1aad08
SHA512 ebd852b91b37b53f40f0e7e987d3814a3f7f273a6291ba18b4c6df9def01c9ec879e067bf542f0ad2efb1755af1180ac5a51d772ec61529eddd1d1e80c3c2e82

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\te.pak

MD5 352b392c6e074a1b77a833b3534cc710
SHA1 49465bb9bfd3b82ceacda34e81be8e04f20e275e
SHA256 4f565637cf197a38c3f2a650cdfac05995fee8da2b9216998ab3ef7937ce7e74
SHA512 b9115987bef17dc05ff4c434d5dcee3e36c706015cf02592c154b60910bf86de578becf8470967bfcc7a28063155be6934f0d26713bd6f14ae4e3d637b4df69c

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ta.pak

MD5 d23049c7d1e0f829ad88274784927547
SHA1 efaa69205c4811af251d7ccaaa9c7cf81c10d6c2
SHA256 9e3e0c909becc8bdf9c7cc1f9e401c464e7756e30369d40c709ea2dd942660c9
SHA512 839b2323bc02ca605354d7f23474b9de1a9525fdfc9814d5773984090d1dee8dbd925078687bfdfffb416666701e42513e3bdee8aedfc3281194aa18e9e33ad7

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\sw.pak

MD5 b49abf12ae1a019f170dbe514a9341f0
SHA1 a17d7ce05d6e75563d364e8e97be70bbed5b2ab6
SHA256 d85642b0783e1999fadf82aedfcaaf03a35572ca15a9e4f9eb8e1fcaca2ce29c
SHA512 147e80cd5c521bdba44778a6f605e330a589482625d4229bc6b0754edb1b41e8e1ebfa7dffe4c0ffb9d9342a95fef8f9109935a9b9d111e21af1e70b0806fa70

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\sv.pak

MD5 69fc76751f44f10e32009b09268f2e38
SHA1 66d31349c8f5acedfe384f9525b6db4bed9acd4e
SHA256 a851c7537b895145f45f395c92ca273610f19f109c959b368672a5a92175aa83
SHA512 c9912382da93d3669832a77c66a64232b438eb6fa4ca6bc2243b0c11dbedef940f45d290fc6934312e3a1ce396f7b14821ce433388132e0e8634c1fa7400dad0

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\sr.pak

MD5 6f327ce1d0e7131c483be9ee0c6a1c21
SHA1 26da43c4b16b6b0e2de9a8ed85cd63c202acf00a
SHA256 068c3f92a20c5202b592e26078d6aca908d39e2fc325a605166e7235a73366b2
SHA512 f36b99a76130f08d8c3f2c98add812f6a1a0815d4f895c697486a195bf04b8f43e591c73da34cfb40c07d9153466ea727dc644b9f9424cd4fc4b021d1a98f215

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\sl.pak

MD5 4072bad3315b78fd05787a9fb97e9af6
SHA1 267209a3bde1b362351ea473874d5d40d9ef30ed
SHA256 10676c91bac7b80d314a1d7a934bebc5104ed730bd4eb78d84c497f7e07b5510
SHA512 9a858d4d11f7476b030f3c9bb852a70ae501f34afa0eae2756f2ad59d8dab9983a4b5dffa11b9b7eb578fd52b3ed72094b807b82b93b4c4536ce59309fc0fab3

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\sk.pak

MD5 f987110e03dff6a6104d3c9767139439
SHA1 0817884ab9064978de99909e7e376d067019e1b9
SHA256 4fabe714236712d691908751b42e947fb03a4b1a439e7a84335e7f18f87625e3
SHA512 91a609fa129394ae23590c72a6007bb6591e4e08342ff0d6ba184c8eb09413ed294ca15f13b92f7558823523a0272f5af6841d7e426177c803be1062f9842d9b

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ru.pak

MD5 8243216c5cf42451a8705fdc0a5b8b5c
SHA1 76decf1dfffdc775c5b285436573c8583f214119
SHA256 f6538645321dfa0f2ee3f17284ff72800f6a678df3f5b7d729d02a4496adcce1
SHA512 508c9b4d81b9d09a1306dfe707faaac9072d2c194ccddccbad2bed871c68a78a3e8f527fd8f9ee67d08f6147def43ac2dc43deed9797a98cb5d80c0486fbf8ad

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ro.pak

MD5 5d5a27c52ae905fd85f5d50cb793e7ca
SHA1 b858bba1ef66c4d3943be19a4bf8a508c23e6671
SHA256 9ff47f6890b3f543bc51015f263e791d8a3bc332098f8cd8199852fa131fa579
SHA512 f4754951ff0dd3f1ec2c0859a93422330145f9e4e3407bb7f95863c85227b96d3f8af449c0a051b60f333df3695eea5df70fd5f7fe4916e60eb6f7c4c21aa5e2

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\pt-PT.pak

MD5 62071f5b1b93161b03b66faa3e0ec71a
SHA1 969d82d8d0b2b82e7cb9af7f59825ba211b0ca8f
SHA256 953f8245585ebb637b2d2134b24118f2baa9c28211ea007a8605fa57c7df21f5
SHA512 b463844e7d620076a4cc11d5ad3e9aae52f0375f5eea16f5621a30043ba570baaf3c42050bff7d740eb9bd8274c190787a9d7d57bcffddba62eaaa8b7c4523bb

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\pt-BR.pak

MD5 75d9da45b6a34aed360c0897dc956418
SHA1 90f15ceb5cf0cbaef021de42acaae323c9023cb8
SHA256 77d29b746b4028ae7072d5f74ffe1cbdc66b180a36eeed71e52ef1f7b824cddf
SHA512 df2d0ef49e4f836d5209f53254cb58b76d13a36eee14ae559f6fbe0be6b8421cde4152f48d44997c81ffb32e089ea46bd4a9de85e1bbd12dfcdcb356f1798629

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\nl.pak

MD5 f4c35847247ff2c58a68c35718e3f358
SHA1 17f8af1473eb3bf8bdb3d16711bb359b59cbaf4a
SHA256 a400121adbb26c97a95e3f573f370ec2c37fd435132828c04b467dac47352904
SHA512 6179e275c71a9df4a7da517944048a782a2cb3f16c164ead8c788efc5c56e155c9770530a4fea9360ab478b78c233e183ee8afdf17c8cb871848b09a609c1f12

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\nb.pak

MD5 bc18e28f676138795d19d95e73e3f246
SHA1 f4ae51b49a69b4a32f2dd8c09784ebde1e6d018a
SHA256 1df78fd35431f167def5c496e441775a265d3eb1e64a4cc0fb7fe0201c1ce8b8
SHA512 3620554d7e614373038c278a7bc6a9388fb66abbeba28d0935f2a2f7203a8510b264a6df85e70e3b82e08588611e48a64e4e1c91470f72c95c05cfb8649e8c52

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ms.pak

MD5 04f12811567c0f00bb35b488f4579425
SHA1 64f43b7b172e392daf1fe48e22324fd8dc2a3924
SHA256 1af4b9a66ca413dc3a0785f2b1527c237bdd05ba5768fe077aaf8af0f1c50dff
SHA512 a03fd120e9f31aab03fece30032f84b63060d5dd264e0bf04c85eb92a392d36a0c4122817b0d414a266305ad70efb067319aba38e100aa8c37ab65c3604c4ea6

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\mr.pak

MD5 af7c7d72a968e1936f26a3c755157f6b
SHA1 2ec71950847f5fb4b85697b6acd05224c28bb092
SHA256 e5702b9578435abbbcc922f1d4ff8c5a345856926c2174c329e228987c3ac7d5
SHA512 d265eeee96adafc3ced76901c9263bc1cb349caf925a02d5deb010c02843fb653a17e1e8a4e942c9912f654316c4a7a1776e6a7eda56ab82ae9d4d077a58a929

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ml.pak

MD5 265d7fbee9a021895d51209dc0181f90
SHA1 30e37013971bacd3ee93ad2fca01cb59a26d6a87
SHA256 682463d4a0221711e565ecf409893536d727650efd2ed0563c722cceab66b1ad
SHA512 028e1ad499b20ff7cda822b91f9b8d1cbb1efe108b7236d817b73a6f8e518b5f4a8ae77d653ae5c9d799842eaee3915250ef56f634f847fc5fc8a3b36eea176c

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\lv.pak

MD5 df9985ecfc958f343ab7e56e71149d71
SHA1 fc0d2c4a194d500a1f4cfafcd9102186016ba5a3
SHA256 7e17246e23ca2d0241d56d91b5d5e6bfb3ff4e08f1a3734f9d032b4191282fa2
SHA512 0dd65eed7a5bccee0ac5e2826f0cceed848dff0d0d41904e00d35cec9d96fc0b91a4eb54fbcf0bbba61f89848562a606f9f7aa827cb180abe7e97a2e77a29309

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\lt.pak

MD5 b02bf54687716b5d5f18aee02411a980
SHA1 4cf766077382c49fb89d59d861de0f482f989798
SHA256 0b0e3fcb82ddca52f9eb1ff9e1ee224639ff81f1c0af6ded4e21944811babc0b
SHA512 aea879ac96a5719e8988011a7b82726bf51a24e170e260182146191f43914cd50991928d2283277d173ad650f7cfb1246fad9445260e9ca0769052079d431f25

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ko.pak

MD5 f0805980b4bba19fd7cecdae6d6ed77d
SHA1 fee432cc162890c5c8d22f6028f9086c8f47267d
SHA256 11f4f99e5f7d04b263f615d9d0716c0852b8c63a07212d14604373853aa78588
SHA512 03a97e36dbcae88b0fa9fec326bd99bf5c454889ca3bcf151b34003fac161001c1e08082b07974b6c8e01cc54f6b20f810c3bbe446494356403288e24e6b46df

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\kn.pak

MD5 e4865513d7c57bd48171ade28bc4aaa4
SHA1 1791131c3fc654bc0aef00927f41672f700720d7
SHA256 a1b23f794547f06510adf767b23a47df68ae864b059f8657bb78dd8b352de232
SHA512 c7487fb37ebb2108218021b6a93e62d6836248d1602e7847864cc0ebe7fcd87554220bd3fff0c7bd6fa6f7bd200811b8d30e421b76717e37c7e110f88cc40d15

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi

MD5 0ad55ae01864df3767d7b61678bd326e
SHA1 ffedcc19095fd54f8619f00f55074f275ceddfd6
SHA256 4d65f2899fb54955218f28ec358a2cad2c2074a7b43f862933c6a35e69ae0632
SHA512 aaee895d110d67e87ed1e8ed6557b060a0575f466a947a4f59cc9d111381e1af6aa54d432233716c78f146168d548a726fed1eab2b3f09bb71e0ae7f4fdc69e3

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

MD5 f0a82a6a6043bf87899114337c67df6c
SHA1 a906c146eb0a359742ff85c1d96a095bd0dd95fd
SHA256 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
SHA512 d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\ja.pak

MD5 946afe803f1bd37cac8cefb9892e8387
SHA1 6a5ab4129843129ff926735acc4be53028a8d5bd
SHA256 91084c3d2709fed5c912fd55b2499c394b3a8ebba5032d03056845f88a141ffa
SHA512 4bbc76a738b9639d4a2fda9e1dc87c84bff660c84a01e3a54f544ec2421d20d9eee4c951a59ff8ed5950a00359bfb63ef1afe953b5cf5910923428a4d864ad71

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\it.pak

MD5 d26fd02972984599d1a60ebfce4ee7b0
SHA1 d1767c68628c8b1449b4670fc40c355d367b0a97
SHA256 75e90045cdafecc013f62097e1aabae18362954cf993eb4f78ed1639e3468186
SHA512 06722bae30ade4bae70130918e3d6f99e54d7fca37b3798f8ed3d269cf52c37e1280a08313c9f9dedac80da149446bd0414cd36e345bfea3a1b7409b7d2f3464

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\id.pak

MD5 ee466128c7bd5f01d518d0c3c9202f39
SHA1 74b7cb96c1e495885651e50907efe56d2567955f
SHA256 6f86ea779e49c8eb24ed6ba416ad67d5e08f8a3673c68e4cfad19475e12a2911
SHA512 9d88780e52c1cca9f89ed0ead244a763209848d1315f7177c1db3251214d363e78b32d439328304976804beb781fd07a0cc9f9e300431aca16ae6afaa6f57be6

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\hu.pak

MD5 1744609aa48694daf1058e6da1157696
SHA1 a97ba8118e91bb952c24adf19104ca54d4eb8694
SHA256 89c47beea85d50c88af6f94597f827bfa657ec73570cb4b3ffbc3ff91164ba89
SHA512 f64c8fd18f877283bef39c999f754ddc212fc8ba981d282f66443c6fea51e89a5c4a2aa37aae7b69c35a60bdf9b8f5698d2cc72e28e10d70747ce0f7d665ce8d

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\locales\hi.pak

MD5 cbf1e19ed157d39bfe70a17805ea3cc3
SHA1 e37f6f428e8478f50999899ce70f49e60d2fd758
SHA256 00670d07269facbd70e3949f3da5a73f584e08a6e901ac8a3b1767fc439c975a
SHA512 84f8af3ef49c8f970e7ac2ad61ec92fc21057767afb93116fbc11837b6d7130901245bcfcae53f158f6f09f3a8e59900a6444a5ba9364b2c38196631c5244258

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3440200.tar.gz

MD5 c02f40fd4f809ced95096250adc5764a
SHA1 8398dd159f3a1fd8f1c5edf02c687512eaab69e4
SHA256 1c6719a148bc41cf0f2bbbe3926d7ce3f5ca09d878f1246fcc20767b175bb407
SHA512 59ad55df15eb84430f5286db2e5ceddd6ca1fc207a6343546a365c0c1baf20258e96c53d2ad48b50385608d03de09a692ae834cb78a39d1a48cb36a05722e402

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp

MD5 0e4d1d898d697ec33a9ad8a27f0483bf
SHA1 1505f707a17f35723cd268744c189d8df47bb3a3
SHA256 8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
SHA512 c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js

MD5 8582b2dcaed9c5a6f3b7cfe150545254
SHA1 14667874e0bfbe4ffc951f3e4bec7c5cf44e5a81
SHA256 762c7a74d7f92860a3873487b68e89f654a21d2aaeae9524eab5de9c65e66a9c
SHA512 22ec4df7697322b23ae2e73c692ed5c925d50fde2b7e72bfc2d5dd873e2da51834b920dea7c67cca5733e8a3f5e603805762e8be238c651aa40290452843411d

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js

MD5 275019a4199a84cfd18abd0f1ae497aa
SHA1 8601683f9b6206e525e4a087a7cca40d07828fd8
SHA256 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
SHA512 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js

MD5 e5c2de3c74bc66d4906bb34591859a5f
SHA1 37ec527d9798d43898108080506126b4146334e7
SHA256 d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
SHA512 e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h

MD5 29dd2fca11a4e0776c49140ecac95ce9
SHA1 837cfbc391c7faad304e745fc48ae9693afaf433
SHA256 556ba9af78010f41bc6b5b806743dc728bc181934bf8a7c6e5d606f9b8c7a2e9
SHA512 5785667b9c49d4f4320022c98e0567a412b48a790c99569261c12b8738bde0b4949d3998e2b375540ede2ff1d861cad859780ade796b71d4d1d692e1ed449021

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h

MD5 de31ab62b7068aea6cffb22b54a435bb
SHA1 7fd98864c970caa9c60cfc4ce1e77d736b5b5231
SHA256 8521f458b206ed8f9bf79e2bd869da0a35054b4be44d6ea8c371db207eccb283
SHA512 598491103564b024012da39ac31f54cf39f10da789cd5b17af44e93042d9526b9ffd4867112c5f9755cb4ada398bf5429f01dda6c1bbc5137bea545c3c88453b

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h

MD5 b60768ed9dd86a1116e3bcc95ff9387d
SHA1 c057a7eebba8ce61e27267930a8526ab54920aa3
SHA256 c25be1861bd8e8457300b218f5fa0bba734f9d1f92b47d3b6ab8ee7c1862ccbe
SHA512 84e0670128f1d8712e703b6e4b684b904a8081886c9739c63b71962e5d465ac569b16cb0db74cb41dc015a64dcc1e3a9a20b0cf7f54d4320713cc0f49e0f7363

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h

MD5 55a9165c6720727b6ec6cb815b026deb
SHA1 e737e117bdefa5838834f342d2c51e8009011008
SHA256 9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
SHA512 79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h

MD5 0b81c9be1dc0ff314182399cdc301aea
SHA1 7433b86711d132a4df826bae80e58801a3eb74c9
SHA256 605633ba0fb1922c16aa5fbfffed52a097f29bf31cee7190d810c24c02de515b
SHA512 9cf986538d048a48b9f020fc51f994f25168540db35bdb0314744fdec80a45ba99064bc35fe76b35918753c2886d4466fdd7e36b25838c6039f712e5ac7d81b3

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h

MD5 e8c5e5c02d87e6af4455ff2c59c3588b
SHA1 a0de928c621bb9a71ba9cf002e0f0726e4db7c0e
SHA256 cce55c56b41cb493ebd43b232ff8ffc9f5a180f5bab2d10372eca6780eb105f6
SHA512 ed96889e0d1d5263fb8fed7a4966905b9812c007fbb04b733cadbe84edc7179015b9967ff5f48816ff2c97acf4a5b4792a35cee1f8fce23e5fdc797f8ee0c762

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h

MD5 f2a075d3101c2bf109d94f8c65b4ecb5
SHA1 d48294aec0b7aeb03cf5d56a9912e704b9e90bf6
SHA256 e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
SHA512 d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13

C:\Users\Admin\AppData\Local\Temp\nsi7F6D.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

memory/1696-907-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-909-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-908-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-913-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-915-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-919-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-918-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-917-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-916-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

memory/1696-914-0x0000015C5AE90000-0x0000015C5AE91000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4336 wrote to memory of 1328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4336 wrote to memory of 1020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaba0546f8,0x7ffaba054708,0x7ffaba054718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8346908789747594686,613806088716805746,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5388 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4dd2754d1bea40445984d65abee82b21
SHA1 4b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256 183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA512 92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

\??\pipe\LOCAL\crashpad_4336_TBZCKTFECDMWSXSH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ecf7ca53c80b5245e35839009d12f866
SHA1 a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256 882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512 706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b3a494ca6e52fdd68bf0edfd91f7a7ee
SHA1 e5c0c9ab3becf51e1a7d2162832264831a96313f
SHA256 ccc637086b1c6574bbdf3f6b107ed14d5014d5facb255e7a5d34581680271edf
SHA512 e20aac6a5747c28568acef833db2d00d5a61e175ff7a2bf3e7741b4b6223ed193640e78032fa09e2d38a7954e62e5b6333e20b8bce0d276bd01316cd8a984809

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6016565a-21a8-49bb-8cd4-eb83d0002b5a.tmp

MD5 d6e029cc1995d059e5daf8caebc252da
SHA1 20b21b7aa3d33c7fca7dce5b121529de6c3243fb
SHA256 cc46f721ca4a540e3d078d215e1cb3f5f0153301e847e3785d9088e8a29f430c
SHA512 04628599f1d185cbe7fac9e2e86a5e15481c4bb72d83da5b1818010b190fda5411e91c8e4b8216118d817cd8da81abe244ed30a2ce50e754c9edf0234a282ba8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7d46022852c5ed0a058e3cc1384e776c
SHA1 85533d607a970a4ecd7ca3d90f88068c9805f4c5
SHA256 0f9c0adbe1f9abd9a8cbe6ecc4aedf3be1517496329b7331797317c9a98aa642
SHA512 6e37e30e81899ad724e92c1dddfcc5dbeedf9f90c5d1e07da39fdf83fc3160ca812e389ad98b6219a0c79a80564df1ff2b85440a03bd1710cb88e51ed8750f8f

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\configure.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\configure.vbs"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win7-20240708-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe N/A

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2408 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2408 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2408 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2408 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2408 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2408 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2408 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe

"C:\Users\Admin\AppData\Local\Temp\3260c1e806429a61577901fcdf070a19d150730fbfc12c626279fd032d1b0d30.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq OGFnPatcher.exe" /FO csv | "C:\Windows\system32\find.exe" "OGFnPatcher.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq OGFnPatcher.exe" /FO csv

C:\Windows\SysWOW64\find.exe

"C:\Windows\system32\find.exe" "OGFnPatcher.exe"

C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe

"C:\Users\Admin\AppData\Local\Programs\patcher\OGFnPatcher.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nstAD12.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nstAD12.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nstAD12.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

\Users\Admin\AppData\Local\Temp\nstAD12.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

\Users\Admin\AppData\Local\Temp\nstAD12.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\ffmpeg.dll

MD5 ed10fd2777a030b2895d2f555207f1b3
SHA1 81448e7a72e49eff746abbedea503139b7eadbdd
SHA256 996aed5bb751d70e215bcc3e5be2ed28fb54412af05031c592df101b51232e0c
SHA512 435f33fd11fc25a495726401211ed87771c831eab8916b8bb9520bf0f799646f911b22716f090849bfc85e2372cd28aa1c9de46f9d613929993ef009955173e9

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\chrome_100_percent.pak

MD5 3c72d78266a90ed10dc0b0da7fdc6790
SHA1 6690eb15b179c8790e13956527ebbf3d274eef9b
SHA256 14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7
SHA512 b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\chrome_200_percent.pak

MD5 3969308aae1dc1c2105bbd25901bcd01
SHA1 a32f3c8341944da75e3eed5ef30602a98ec75b48
SHA256 20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6
SHA512 f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\libEGL.dll

MD5 e3f6c7b1316f7ca06ee178377ce16ff7
SHA1 f546da89ec0d3ef238892be8f2dd697d411518bb
SHA256 ff6d4f18492a704b4b9d853abdcc73a4fa561b0c685619508e25afaf4e4800b9
SHA512 cad4026efc48192c4904a4b0ec583d2e24b94f8a5f91824716eddb32477512799b10a4f9cc7a2976a25ca0d333bb1c68bb98b1d0f9bd7020e0e31be7d950720b

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\icudtl.dat

MD5 ffd67c1e24cb35dc109a24024b1ba7ec
SHA1 99f545bc396878c7a53e98a79017d9531af7c1f5
SHA256 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512 e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\libGLESv2.dll

MD5 ac216b22cb7ca21d9803ae6b111792e5
SHA1 f6678626aa522628110315889ca744572549bb73
SHA256 3cd10952ba73ba4a36f5ec92dcbb0893092bfc8d77a381f6f9f3090b0ecfbb50
SHA512 df344f79ff5d4e38b451bea948c234b63af0402565097082a082b44a4efb9e0ed367884875cbc817237b7ae7ac126fc7de0e8615504923b8db553c1a3a985a90

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\LICENSES.chromium.html

MD5 f017c462d59fd22271a2c5e7f38327f9
SHA1 7e1bbeea6ac2599bd0f08877aa5811d32f1aceb9
SHA256 40f314c778851106918aae749d75b2d913984327602a1bfb7ef0cc6443ff2a37
SHA512 72177281486f6ec26ccc743b43481c31470c7dd53f17b0a67ac087dded190c2e3dde5570260150c2e9650186a515740af7f81e31965c95bb762340f9ac100c07

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources.pak

MD5 d3fef960b0aac7b5d40e37b09f91f9ba
SHA1 dc5093fecf59150877f439a04bdb3912f13ed905
SHA256 c2dad6a9f8bf1b552fa94a51cadb6ed6a4e5a6455bcebf3c2888f0a6a3d6c8c2
SHA512 5be574b28b67ebd13acb764e15aaae6c3fb861a1cf16e4132fec8fe90b4fb70d49314609bd173c8de6299531f5520fe95ae080112efd2f7e89a6e174532bc458

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\snapshot_blob.bin

MD5 7ad5356f81d38002220b82f64cebe230
SHA1 11f047ffb7b90a40ca17c796b0a306d4b250ed7f
SHA256 31969e154d3cd857d14e9d8edb98118ad2d5e9e9f1b77f9085626bd500e34ce1
SHA512 862d0027b13ef4527a45b010d35142583c1f02f7691b093774eb5bb066b623ba7b8c0bb65a2e75641381c8ffa6a24c7116d1a9a984143ad13d0a0d61adfa3c0c

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\v8_context_snapshot.bin

MD5 8b8485c02d1fb639085dcb2b1af02c6e
SHA1 fe4e7115aef2c161c5995a621bf614a502f04910
SHA256 98c18470926e12def4c39163c5389f29c5df7d2a41bf7353a75a7cdc41f1a90c
SHA512 c2f24848a75c5330d1be5bde3213064f2b0feb13b8708d795249961605a09913aab1fc78b850f4ea3f7c76c74a8238816f5654a4fad5c11a78ce86b8b9cdd521

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\vulkan-1.dll

MD5 8f939b8bbffc7e1083e938adc4b5aea7
SHA1 ce03fd0ec3c11fbbc51b6fef044bea7915991aa9
SHA256 7d411fa0a615d0f67099fc3978b3f07e28565b9877cce02ec239eb228fa4d485
SHA512 bed9ac52e82dcf3e8233d90f1f0986ce6371338299a7efc490d89955d869e2b16874cd2258b4217971269f19fb1589530fe2d870d65610a878f2633f0cf4e0af

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\vk_swiftshader.dll

MD5 ed0ffde1854aa8b1dc64835b48833d32
SHA1 5aa09092b982e8ae1ca73f713d6f51a30248b64a
SHA256 1a24356be288e742549a20c62de9259b2e1cf8bd560151ff7a24d4ae1a4652a2
SHA512 59fd3b9153b2d777a707c7f2aedf2b7be701c18fb1b9e79d32381dacca22768c6461c575271aee960d7c41fadeba75f8cde41fc8a229c2e49823bbb5853b69a1

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\af.pak

MD5 09455048c30cecbb17d6e0e95e4c01da
SHA1 6572850b07df45933ed57754f72c44895a7ef662
SHA256 e973763dcc0ffd7a5afe0a62ec9651c4c3db7fe29a23797fafc34b83512d03aa
SHA512 f59b68c213815ad81379c964abe6597b900b9fac5fe17e2cb378d015c4803f96b598ef70333d594599b3283a88a9ca9cb2475afc2590eda2ddf7b041ba2368e3

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\bn.pak

MD5 ea7cf62cd5373f016ee15773394cc33d
SHA1 582299514e86802707fd6e45a170da7a5b5f3da0
SHA256 dedf3a8c24b13eafd99d9bc44dfc4d7a74f01eda532e05c8d61b4457f348fd09
SHA512 482ce2f374e5bba511e60843736811ab1f8d3aa52a020c78505e95b1ad0a924531a952ff792116ef7ef55cf027640ac88885f13513757c8883b37d7ae57c9a13

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\cs.pak

MD5 bb1c4ba9859b0a43a42021f39b8b750d
SHA1 02b2505d3955f15b6655bee9c92d7bbfaad6ddc3
SHA256 814990ab6af4acb4acd44b0f07fafd4375724facf4e3080014ce7b8b9e935fb9
SHA512 941cf4d334dbea7cc790cb8ba11e959d5a45381e7efdbae1e659d27540fd80247bb71820a90af6164d76cabbb283dbf3b652c29e0ded3832dcc21e3a88f7d0b6

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\el.pak

MD5 14f52763959d29febddbe25c86336e70
SHA1 dbde678a721d4fba97d5bf2703faac230794128c
SHA256 7134776724c07c2df17f6ba0c3c26a2a536d512e913d1d9c5585e600895e695a
SHA512 1f49a299a9fe76ab93a30ac17e1bbf3eddb20c6278740d7739e0044f867f35e65a0cd98654ab0ed60a43e268eb7258768cb8f35a254fbf31bf22ff4af7c3f96d

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\et.pak

MD5 96febc2a296af99758050eef3ed97712
SHA1 26f8751ccfe0b1bed9db532dbac1034a02b7f48a
SHA256 678e50d9785c14f205baff60760decf64f765a98863e000abe44dcc6f22b5d0d
SHA512 bfc8a9051360338c61dc46040b006808b57ee20ce170c4645bf5fd83a643c3107bbc1752fd2486a9ab8250a84ff0cf832f381c523cc49cd08486eae489c4d45e

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\he.pak

MD5 41227774510c0d2ea4637dbffe500000
SHA1 3d8a20158dee92d5b5ce1a2c852352a50ae62282
SHA256 90f11a1c09fcc4a5fd5d6f753bea04af93ff8ddf4372a5f84a15fc2ccb444c95
SHA512 40e8a5d8c3e1b481074da9bb48ad82a64849386d9512ecee8fd426d6def32a8930fab316e3c5d686d7706b6bc975913d7d75e69a0c150b74dc8bb45620e82140

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\lt.pak

MD5 b02bf54687716b5d5f18aee02411a980
SHA1 4cf766077382c49fb89d59d861de0f482f989798
SHA256 0b0e3fcb82ddca52f9eb1ff9e1ee224639ff81f1c0af6ded4e21944811babc0b
SHA512 aea879ac96a5719e8988011a7b82726bf51a24e170e260182146191f43914cd50991928d2283277d173ad650f7cfb1246fad9445260e9ca0769052079d431f25

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ru.pak

MD5 8243216c5cf42451a8705fdc0a5b8b5c
SHA1 76decf1dfffdc775c5b285436573c8583f214119
SHA256 f6538645321dfa0f2ee3f17284ff72800f6a678df3f5b7d729d02a4496adcce1
SHA512 508c9b4d81b9d09a1306dfe707faaac9072d2c194ccddccbad2bed871c68a78a3e8f527fd8f9ee67d08f6147def43ac2dc43deed9797a98cb5d80c0486fbf8ad

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\vi.pak

MD5 8f8a783772b0b3ed9e1858074a3106c4
SHA1 fdfa166ddfc0e9101bdcf5e76d422b29444d4772
SHA256 ad778e5e76648700192dfb6a27c6be743935de00e3a75f208f3c1d3f6d3fd1c9
SHA512 690a006b94cc8a34ac0fa904b2c175688cd1468385537bd3927a91550c137086a8ce75a2794be0126bc0eb44a498b01bf94c05237895a82125016c7463b4f161

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h

MD5 29dd2fca11a4e0776c49140ecac95ce9
SHA1 837cfbc391c7faad304e745fc48ae9693afaf433
SHA256 556ba9af78010f41bc6b5b806743dc728bc181934bf8a7c6e5d606f9b8c7a2e9
SHA512 5785667b9c49d4f4320022c98e0567a412b48a790c99569261c12b8738bde0b4949d3998e2b375540ede2ff1d861cad859780ade796b71d4d1d692e1ed449021

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h

MD5 f2a075d3101c2bf109d94f8c65b4ecb5
SHA1 d48294aec0b7aeb03cf5d56a9912e704b9e90bf6
SHA256 e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
SHA512 d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h

MD5 0b81c9be1dc0ff314182399cdc301aea
SHA1 7433b86711d132a4df826bae80e58801a3eb74c9
SHA256 605633ba0fb1922c16aa5fbfffed52a097f29bf31cee7190d810c24c02de515b
SHA512 9cf986538d048a48b9f020fc51f994f25168540db35bdb0314744fdec80a45ba99064bc35fe76b35918753c2886d4466fdd7e36b25838c6039f712e5ac7d81b3

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h

MD5 b60768ed9dd86a1116e3bcc95ff9387d
SHA1 c057a7eebba8ce61e27267930a8526ab54920aa3
SHA256 c25be1861bd8e8457300b218f5fa0bba734f9d1f92b47d3b6ab8ee7c1862ccbe
SHA512 84e0670128f1d8712e703b6e4b684b904a8081886c9739c63b71962e5d465ac569b16cb0db74cb41dc015a64dcc1e3a9a20b0cf7f54d4320713cc0f49e0f7363

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h

MD5 55a9165c6720727b6ec6cb815b026deb
SHA1 e737e117bdefa5838834f342d2c51e8009011008
SHA256 9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
SHA512 79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77

\Users\Admin\AppData\Local\Temp\nstAD12.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

memory/2964-686-0x0000000002FB0000-0x0000000002FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h

MD5 de31ab62b7068aea6cffb22b54a435bb
SHA1 7fd98864c970caa9c60cfc4ce1e77d736b5b5231
SHA256 8521f458b206ed8f9bf79e2bd869da0a35054b4be44d6ea8c371db207eccb283
SHA512 598491103564b024012da39ac31f54cf39f10da789cd5b17af44e93042d9526b9ffd4867112c5f9755cb4ada398bf5429f01dda6c1bbc5137bea545c3c88453b

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h

MD5 e8c5e5c02d87e6af4455ff2c59c3588b
SHA1 a0de928c621bb9a71ba9cf002e0f0726e4db7c0e
SHA256 cce55c56b41cb493ebd43b232ff8ffc9f5a180f5bab2d10372eca6780eb105f6
SHA512 ed96889e0d1d5263fb8fed7a4966905b9812c007fbb04b733cadbe84edc7179015b9967ff5f48816ff2c97acf4a5b4792a35cee1f8fce23e5fdc797f8ee0c762

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js

MD5 e5c2de3c74bc66d4906bb34591859a5f
SHA1 37ec527d9798d43898108080506126b4146334e7
SHA256 d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
SHA512 e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js

MD5 275019a4199a84cfd18abd0f1ae497aa
SHA1 8601683f9b6206e525e4a087a7cca40d07828fd8
SHA256 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
SHA512 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js

MD5 8582b2dcaed9c5a6f3b7cfe150545254
SHA1 14667874e0bfbe4ffc951f3e4bec7c5cf44e5a81
SHA256 762c7a74d7f92860a3873487b68e89f654a21d2aaeae9524eab5de9c65e66a9c
SHA512 22ec4df7697322b23ae2e73c692ed5c925d50fde2b7e72bfc2d5dd873e2da51834b920dea7c67cca5733e8a3f5e603805762e8be238c651aa40290452843411d

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp

MD5 0e4d1d898d697ec33a9ad8a27f0483bf
SHA1 1505f707a17f35723cd268744c189d8df47bb3a3
SHA256 8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
SHA512 c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3440200.tar.gz

MD5 c02f40fd4f809ced95096250adc5764a
SHA1 8398dd159f3a1fd8f1c5edf02c687512eaab69e4
SHA256 1c6719a148bc41cf0f2bbbe3926d7ce3f5ca09d878f1246fcc20767b175bb407
SHA512 59ad55df15eb84430f5286db2e5ceddd6ca1fc207a6343546a365c0c1baf20258e96c53d2ad48b50385608d03de09a692ae834cb78a39d1a48cb36a05722e402

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

MD5 f0a82a6a6043bf87899114337c67df6c
SHA1 a906c146eb0a359742ff85c1d96a095bd0dd95fd
SHA256 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
SHA512 d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi

MD5 0ad55ae01864df3767d7b61678bd326e
SHA1 ffedcc19095fd54f8619f00f55074f275ceddfd6
SHA256 4d65f2899fb54955218f28ec358a2cad2c2074a7b43f862933c6a35e69ae0632
SHA512 aaee895d110d67e87ed1e8ed6557b060a0575f466a947a4f59cc9d111381e1af6aa54d432233716c78f146168d548a726fed1eab2b3f09bb71e0ae7f4fdc69e3

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json

MD5 174bf28fccd7fdb6f0766f31fac3060d
SHA1 655f465658957fbdf935fcb7df0b97c93807147b
SHA256 91008a93e604674024bd65569670af5b01f1e4caf86cde50835ee58f59a5dc61
SHA512 fa1be386a3d74767731aa5ad44ff4d89fb456e7feabde2a6e6f238ed4608a80962cadd6b7ff96f15e306a8e819221b66051fa5a7b0658ad52a2efb488492ff83

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE

MD5 79558839a9db3e807e4ae6f8cd100c1c
SHA1 ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2
SHA256 7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c
SHA512 b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\resources\app.asar

MD5 feba07fa3221979f9961c5d5c24e508d
SHA1 b316be8390e8558fd607ffa3d08acfa65c0be008
SHA256 7f7b8986bfcf882d8d13d299db2bdf4b971084202d499d77a070d13ad8b20f85
SHA512 2ff94d45be7239563ac9fca3a62a2ebea59e39c0451e114b9e291b228cf573116eb1e9049cf966382c172b79c215f00fcc0d97841641d54ef6ff8475e4ac61e3

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\zh-TW.pak

MD5 fb25eb737df0e863cd83b0472249b64f
SHA1 3f9d0d847bb9eea9bc5c89371fd4665da1a485f0
SHA256 f1bd51245e56bcf324a8a94c4a572be031f2fd0db4d828471e563f64d8ecc79d
SHA512 075bb8edd2743e980cb842ad359a16023a3280c560ccdd17150e7cdc179fbcd0de3415ab591d7877ac3a8dad84fe8defb0059fa0d3468553230d27b7d1bd7c03

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\zh-CN.pak

MD5 6e7c237143cc765ac3abbe0685fa2afe
SHA1 40166c23aa75b8079ca16db2f5bcc938dfac312a
SHA256 9cda0f5736ab40650d10dd93f35316c45d5db9c596b270a9476cdd19d624c7d1
SHA512 2c2b6c50e52e1613f1976c86670dab5c4a7b06ff1746da0737bcc72271fe7531d8d909de2064cc2086c4b04352325fafb9c8bb181bc074dd62ba0e7a607fe011

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ur.pak

MD5 bb7d36ea38a066f9939b858ca3bba8d8
SHA1 78a18e7d6e82ebe9f99161432ac0363928d2c2d1
SHA256 8ab35f7d357a38922acc42c663089ef4e0ef42ce56e212c26507bd110c8e8967
SHA512 1b4a82c5065170c551de28812f6c99cd47a22209d97cf0723197bad15872d98fffba0cdf4db87440a84fc9cd0d2a3cd771074b254f12fd7658e7f9aad732a854

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\uk.pak

MD5 7d6b378c369e8a132a1134ffb3921d26
SHA1 1c3c9c67613a4798ab2d4bdaaa0fe5ad80eee876
SHA256 e8ffe116ebbdaace51d9e62fe3c119eb354b244a8395f82d61b67dc8e3b3abb7
SHA512 edc526149fef6530c25a13725f33f7a4e9bb56b1b28fb1936609edc4c195153d5276d4ff61d7be9c2cf99835273809502168d7c8b0049c6b670ee226eab8e6ff

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\tr.pak

MD5 d03ea83a0ed60cdd6607d16cfbaadb7a
SHA1 8463e4a4985ce85efb7b7b1b54e384f7043dced9
SHA256 5fba0fce51cc3f9767d2cfdaef1192507f18b83235879aacc8f63b30880c8f00
SHA512 3c7c7e6b98372bff436acbb31f4e0205c8b797221162f969464dad88fcace1d5f445b57beef96526c1610cfb3a589aa5c120fa6cceb06dc6bdaeddefe8de72e2

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\th.pak

MD5 b60a9df804f0f3b0f1c11f1d6bd9ba7e
SHA1 104970e408e1a138cac373d2938691f82ee8e52b
SHA256 6cf15aee57658d55ea0ff07dae2fbad7981093e7acf54014347307e3bd1aad08
SHA512 ebd852b91b37b53f40f0e7e987d3814a3f7f273a6291ba18b4c6df9def01c9ec879e067bf542f0ad2efb1755af1180ac5a51d772ec61529eddd1d1e80c3c2e82

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\te.pak

MD5 352b392c6e074a1b77a833b3534cc710
SHA1 49465bb9bfd3b82ceacda34e81be8e04f20e275e
SHA256 4f565637cf197a38c3f2a650cdfac05995fee8da2b9216998ab3ef7937ce7e74
SHA512 b9115987bef17dc05ff4c434d5dcee3e36c706015cf02592c154b60910bf86de578becf8470967bfcc7a28063155be6934f0d26713bd6f14ae4e3d637b4df69c

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ta.pak

MD5 d23049c7d1e0f829ad88274784927547
SHA1 efaa69205c4811af251d7ccaaa9c7cf81c10d6c2
SHA256 9e3e0c909becc8bdf9c7cc1f9e401c464e7756e30369d40c709ea2dd942660c9
SHA512 839b2323bc02ca605354d7f23474b9de1a9525fdfc9814d5773984090d1dee8dbd925078687bfdfffb416666701e42513e3bdee8aedfc3281194aa18e9e33ad7

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\sw.pak

MD5 b49abf12ae1a019f170dbe514a9341f0
SHA1 a17d7ce05d6e75563d364e8e97be70bbed5b2ab6
SHA256 d85642b0783e1999fadf82aedfcaaf03a35572ca15a9e4f9eb8e1fcaca2ce29c
SHA512 147e80cd5c521bdba44778a6f605e330a589482625d4229bc6b0754edb1b41e8e1ebfa7dffe4c0ffb9d9342a95fef8f9109935a9b9d111e21af1e70b0806fa70

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\sv.pak

MD5 69fc76751f44f10e32009b09268f2e38
SHA1 66d31349c8f5acedfe384f9525b6db4bed9acd4e
SHA256 a851c7537b895145f45f395c92ca273610f19f109c959b368672a5a92175aa83
SHA512 c9912382da93d3669832a77c66a64232b438eb6fa4ca6bc2243b0c11dbedef940f45d290fc6934312e3a1ce396f7b14821ce433388132e0e8634c1fa7400dad0

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\sr.pak

MD5 6f327ce1d0e7131c483be9ee0c6a1c21
SHA1 26da43c4b16b6b0e2de9a8ed85cd63c202acf00a
SHA256 068c3f92a20c5202b592e26078d6aca908d39e2fc325a605166e7235a73366b2
SHA512 f36b99a76130f08d8c3f2c98add812f6a1a0815d4f895c697486a195bf04b8f43e591c73da34cfb40c07d9153466ea727dc644b9f9424cd4fc4b021d1a98f215

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\sl.pak

MD5 4072bad3315b78fd05787a9fb97e9af6
SHA1 267209a3bde1b362351ea473874d5d40d9ef30ed
SHA256 10676c91bac7b80d314a1d7a934bebc5104ed730bd4eb78d84c497f7e07b5510
SHA512 9a858d4d11f7476b030f3c9bb852a70ae501f34afa0eae2756f2ad59d8dab9983a4b5dffa11b9b7eb578fd52b3ed72094b807b82b93b4c4536ce59309fc0fab3

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\sk.pak

MD5 f987110e03dff6a6104d3c9767139439
SHA1 0817884ab9064978de99909e7e376d067019e1b9
SHA256 4fabe714236712d691908751b42e947fb03a4b1a439e7a84335e7f18f87625e3
SHA512 91a609fa129394ae23590c72a6007bb6591e4e08342ff0d6ba184c8eb09413ed294ca15f13b92f7558823523a0272f5af6841d7e426177c803be1062f9842d9b

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ro.pak

MD5 5d5a27c52ae905fd85f5d50cb793e7ca
SHA1 b858bba1ef66c4d3943be19a4bf8a508c23e6671
SHA256 9ff47f6890b3f543bc51015f263e791d8a3bc332098f8cd8199852fa131fa579
SHA512 f4754951ff0dd3f1ec2c0859a93422330145f9e4e3407bb7f95863c85227b96d3f8af449c0a051b60f333df3695eea5df70fd5f7fe4916e60eb6f7c4c21aa5e2

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\pt-PT.pak

MD5 62071f5b1b93161b03b66faa3e0ec71a
SHA1 969d82d8d0b2b82e7cb9af7f59825ba211b0ca8f
SHA256 953f8245585ebb637b2d2134b24118f2baa9c28211ea007a8605fa57c7df21f5
SHA512 b463844e7d620076a4cc11d5ad3e9aae52f0375f5eea16f5621a30043ba570baaf3c42050bff7d740eb9bd8274c190787a9d7d57bcffddba62eaaa8b7c4523bb

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\pt-BR.pak

MD5 75d9da45b6a34aed360c0897dc956418
SHA1 90f15ceb5cf0cbaef021de42acaae323c9023cb8
SHA256 77d29b746b4028ae7072d5f74ffe1cbdc66b180a36eeed71e52ef1f7b824cddf
SHA512 df2d0ef49e4f836d5209f53254cb58b76d13a36eee14ae559f6fbe0be6b8421cde4152f48d44997c81ffb32e089ea46bd4a9de85e1bbd12dfcdcb356f1798629

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\pl.pak

MD5 8cea9672f132573e143fc742ff1f7d00
SHA1 2eda91defa08ac7d27c082e4b85120d347dd39ca
SHA256 6257145654f4e47c21ef2b91fe69fc386c1e228a89a658418532a2934433cd7b
SHA512 25579e0535569f0a2855d02df0e2b36dc391a0d3cc54d2ee2b23184836caf8a3ec4c590704a9604666307e1e6e01d72311f76bff7210cecf18ab20d4f3c309f0

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\nl.pak

MD5 f4c35847247ff2c58a68c35718e3f358
SHA1 17f8af1473eb3bf8bdb3d16711bb359b59cbaf4a
SHA256 a400121adbb26c97a95e3f573f370ec2c37fd435132828c04b467dac47352904
SHA512 6179e275c71a9df4a7da517944048a782a2cb3f16c164ead8c788efc5c56e155c9770530a4fea9360ab478b78c233e183ee8afdf17c8cb871848b09a609c1f12

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\nb.pak

MD5 bc18e28f676138795d19d95e73e3f246
SHA1 f4ae51b49a69b4a32f2dd8c09784ebde1e6d018a
SHA256 1df78fd35431f167def5c496e441775a265d3eb1e64a4cc0fb7fe0201c1ce8b8
SHA512 3620554d7e614373038c278a7bc6a9388fb66abbeba28d0935f2a2f7203a8510b264a6df85e70e3b82e08588611e48a64e4e1c91470f72c95c05cfb8649e8c52

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ms.pak

MD5 04f12811567c0f00bb35b488f4579425
SHA1 64f43b7b172e392daf1fe48e22324fd8dc2a3924
SHA256 1af4b9a66ca413dc3a0785f2b1527c237bdd05ba5768fe077aaf8af0f1c50dff
SHA512 a03fd120e9f31aab03fece30032f84b63060d5dd264e0bf04c85eb92a392d36a0c4122817b0d414a266305ad70efb067319aba38e100aa8c37ab65c3604c4ea6

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\mr.pak

MD5 af7c7d72a968e1936f26a3c755157f6b
SHA1 2ec71950847f5fb4b85697b6acd05224c28bb092
SHA256 e5702b9578435abbbcc922f1d4ff8c5a345856926c2174c329e228987c3ac7d5
SHA512 d265eeee96adafc3ced76901c9263bc1cb349caf925a02d5deb010c02843fb653a17e1e8a4e942c9912f654316c4a7a1776e6a7eda56ab82ae9d4d077a58a929

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ml.pak

MD5 265d7fbee9a021895d51209dc0181f90
SHA1 30e37013971bacd3ee93ad2fca01cb59a26d6a87
SHA256 682463d4a0221711e565ecf409893536d727650efd2ed0563c722cceab66b1ad
SHA512 028e1ad499b20ff7cda822b91f9b8d1cbb1efe108b7236d817b73a6f8e518b5f4a8ae77d653ae5c9d799842eaee3915250ef56f634f847fc5fc8a3b36eea176c

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\lv.pak

MD5 df9985ecfc958f343ab7e56e71149d71
SHA1 fc0d2c4a194d500a1f4cfafcd9102186016ba5a3
SHA256 7e17246e23ca2d0241d56d91b5d5e6bfb3ff4e08f1a3734f9d032b4191282fa2
SHA512 0dd65eed7a5bccee0ac5e2826f0cceed848dff0d0d41904e00d35cec9d96fc0b91a4eb54fbcf0bbba61f89848562a606f9f7aa827cb180abe7e97a2e77a29309

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ko.pak

MD5 f0805980b4bba19fd7cecdae6d6ed77d
SHA1 fee432cc162890c5c8d22f6028f9086c8f47267d
SHA256 11f4f99e5f7d04b263f615d9d0716c0852b8c63a07212d14604373853aa78588
SHA512 03a97e36dbcae88b0fa9fec326bd99bf5c454889ca3bcf151b34003fac161001c1e08082b07974b6c8e01cc54f6b20f810c3bbe446494356403288e24e6b46df

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\kn.pak

MD5 e4865513d7c57bd48171ade28bc4aaa4
SHA1 1791131c3fc654bc0aef00927f41672f700720d7
SHA256 a1b23f794547f06510adf767b23a47df68ae864b059f8657bb78dd8b352de232
SHA512 c7487fb37ebb2108218021b6a93e62d6836248d1602e7847864cc0ebe7fcd87554220bd3fff0c7bd6fa6f7bd200811b8d30e421b76717e37c7e110f88cc40d15

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ja.pak

MD5 946afe803f1bd37cac8cefb9892e8387
SHA1 6a5ab4129843129ff926735acc4be53028a8d5bd
SHA256 91084c3d2709fed5c912fd55b2499c394b3a8ebba5032d03056845f88a141ffa
SHA512 4bbc76a738b9639d4a2fda9e1dc87c84bff660c84a01e3a54f544ec2421d20d9eee4c951a59ff8ed5950a00359bfb63ef1afe953b5cf5910923428a4d864ad71

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\it.pak

MD5 d26fd02972984599d1a60ebfce4ee7b0
SHA1 d1767c68628c8b1449b4670fc40c355d367b0a97
SHA256 75e90045cdafecc013f62097e1aabae18362954cf993eb4f78ed1639e3468186
SHA512 06722bae30ade4bae70130918e3d6f99e54d7fca37b3798f8ed3d269cf52c37e1280a08313c9f9dedac80da149446bd0414cd36e345bfea3a1b7409b7d2f3464

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\id.pak

MD5 ee466128c7bd5f01d518d0c3c9202f39
SHA1 74b7cb96c1e495885651e50907efe56d2567955f
SHA256 6f86ea779e49c8eb24ed6ba416ad67d5e08f8a3673c68e4cfad19475e12a2911
SHA512 9d88780e52c1cca9f89ed0ead244a763209848d1315f7177c1db3251214d363e78b32d439328304976804beb781fd07a0cc9f9e300431aca16ae6afaa6f57be6

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\hu.pak

MD5 1744609aa48694daf1058e6da1157696
SHA1 a97ba8118e91bb952c24adf19104ca54d4eb8694
SHA256 89c47beea85d50c88af6f94597f827bfa657ec73570cb4b3ffbc3ff91164ba89
SHA512 f64c8fd18f877283bef39c999f754ddc212fc8ba981d282f66443c6fea51e89a5c4a2aa37aae7b69c35a60bdf9b8f5698d2cc72e28e10d70747ce0f7d665ce8d

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\hr.pak

MD5 62bda7cc99b6dc1503332e752f87423f
SHA1 0187ca29d12971ce201d5513e45648898806d701
SHA256 4171bbd2229ed5a7638b74e32d7aa0e643cbc99051d92a80e7da5a31400ae69c
SHA512 6acdc6618bfb1d2ba7ce912f959c25a48f987dc6c6507c8c5bac22988ddb8b2cbb8aca8fc3d40b2e8b7b6fbd417bde2de34b91b8fc778ba78c182aedb722be06

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\hi.pak

MD5 cbf1e19ed157d39bfe70a17805ea3cc3
SHA1 e37f6f428e8478f50999899ce70f49e60d2fd758
SHA256 00670d07269facbd70e3949f3da5a73f584e08a6e901ac8a3b1767fc439c975a
SHA512 84f8af3ef49c8f970e7ac2ad61ec92fc21057767afb93116fbc11837b6d7130901245bcfcae53f158f6f09f3a8e59900a6444a5ba9364b2c38196631c5244258

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\gu.pak

MD5 cd212ed25482d2b5a246440b62c4fbbf
SHA1 197f3616dec4fb308e0ec5a17458ef8a2d027cd1
SHA256 0e8762ac08963088c33b74ee790df95370bbfc298bae8abfb87eb1307ef46d37
SHA512 207d3e9a6bfbd3eb19cf53a0a300eb0172ecb872496d627ac5b55b9ea11d52f24f01393893450fefaa3c42bb481129d54e552679f2f67a2af0e117d12464601d

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\fr.pak

MD5 1904b22bbb5d52255f80c541253971ba
SHA1 0ead9bd15bd115775728a6cada2136367fe34b87
SHA256 25eb9ea0d0007b5d4c5065fb77486c723d718a1496aa52013d1ea098987f44d0
SHA512 6d4f4a9dde7d22624ef3c28e4cf4a8de8255125aca0c5efca0bae69f040aed2651649f415acdf491593634adce0e4d88ee6439705115bfec25caae34a57f1003

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\fil.pak

MD5 4462eeada117fea1198a3a9cc370e8df
SHA1 c8b6f588ab35f485b88480e58db59c7a34c4ef0b
SHA256 db27ebc5b34d14be370e7068b4bab4fe12fdf090bc1a4f0bad81740aee974695
SHA512 8a69a11f33ce1fdccb3aa7b1dac981f9d6c9d64669e3f97265bef5862e20bbc62d568b8e64fa33cae3143096b009ecb904f0f32f6dc593a8702f94d4e3f52d20

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\fi.pak

MD5 15b4ed60de11e5fb956d624032e8b242
SHA1 94e7f2b7a62c4164511be53d59769299b8a02185
SHA256 f040febcc899b194a6908419b4bc225ed3d53ec478988ed7a50e8438c80d9606
SHA512 c67e22f75820b921f8519ddf064a0fd7d93abf0539b06a62592ad00ba9cc237b1297acf5eba15f7e1444916e90c9dc89e116704866d242d1bdcf0c90cb8c0058

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\fa.pak

MD5 99ce096115521566ffc685703f9cdbfd
SHA1 27cccf6b8f6939d17da4b884998e577392b97221
SHA256 645a43a0101eea39dc6b29ffd71a4836a03ebd7070e61aa962025257aea59375
SHA512 42df640778ae722b82a62e527711a57c883e9d315d54ea7e484d7a8f631abf3f5ea1498d6c5cbd004fe971fd357a0b8d40ab4934fc84e03565da3fb0b23184c8

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\es.pak

MD5 070cbd6f42db1cb9b6a2f74e03d6b124
SHA1 f8830e1c8a601123d85fd75188ed01833f910691
SHA256 91de93a4dc9c9276b9ee3ae498bdafaa55fd464c1f20fdaca84c4b79842327d4
SHA512 2ebee4e289eb2a19a97c86d1abdc1ad53c6a76b8c1dc28fc89cfde236c4abfbb823bf52573cc0848fd76ed9e0ab2d49def542837bc5c474ca1593fb5ed10a390

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\es-419.pak

MD5 76c82bd947c7d32febb2aeed079de39f
SHA1 e4b8238dcb0d3ffdedbb8a4fdc62ada21b03c659
SHA256 89df263a85ccce719cf2b1a5bfb3b2bec5f6f48d0cf1b7ad190b34992aa8309f
SHA512 5179f1cc0be2a4ad441c08102cbabdd3026ae07f430dfeac2f451863235947d9ff1ef78a8c72ef503085c8daf831b401a58ca6e6b077c7584c50b50005c7c868

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\en-US.pak

MD5 d47cded365a28d27906414035c1cb3ca
SHA1 429123c86f6ca48a89bedc9a26027e01508e6db9
SHA256 46958caf9847e33a11593ad024d5a95cc696edcd4620cf07e7b2b78c72b9c00c
SHA512 1a16d784913fead116460c9ff42e21ae482865cfe2d6ed1b1296496e46a05e513f8d048fa4d245e7a82ef61de4c4130696d5b1c647c918995f6877a888bd0853

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\en-GB.pak

MD5 513c735f8821cd5b8beee4f1c9f976d9
SHA1 2552ec0b813aa12b464d813d450e8b6bbc640555
SHA256 d86bc52d844b9706cf9fc50e7c123ab9a6372dd3190a65a88bff7d57f64af362
SHA512 9482f73155c0a838615ddeb4ea5e2db86f12d973c2288922f361de27025f49f714cb6db6eca09a4ef6abaab6b849800850fc72e5bd1314ad3262da66d4dc6b5b

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\de.pak

MD5 d847de7e4970ad17615f7a454be60d06
SHA1 e6cd24f4ca42499c12c92f90077977921a66e016
SHA256 41e503b5e5638cccac6b0165d6c2d2b583e3a6190f3b1dd2e8dd25494d3bdf96
SHA512 ab782cdf2fcf20d24cb3cb3c70989901146709610809a3ecb0ba86b312f11c5b1fca3d66b04d6a6ad3f111f2f2c8749da9d1f8d1ead08c8e7635bd6f1f6a00f0

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\da.pak

MD5 96bbef1eee0b0a197ec834839c00e11c
SHA1 35adba0aafbb4d19015e11dde1f37de87292252d
SHA256 600e02877374dc083b21deb3cc3bf6a4e3e2b2c581a631955494b0591c56289c
SHA512 e1ae7ad30735b6c42f81d30d50162330603753b0ce7705506918d0bf3bf9a52ac60f8fca570cdfe87f0d6dd46cfa3064d5a1526d39d81a053571b434b1cbffe1

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ca.pak

MD5 d4f81d8d816d93e8e6ec3f82cd8f12c4
SHA1 2cc552022a6963f6bab97e41ecd78bb945a2ec34
SHA256 50657071f311dc06c746346a25d10642f182519c1eb3ab898421722271bf2c66
SHA512 b344d5b336699f5efa4e235c7f67ea43278b348df9942f7a86ac52e29172794672d71e80501987867900ca075be0e47228f6cb898a39b66c80acbd0d9b14b371

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\bg.pak

MD5 78209e3acd074e521b73382ec462e497
SHA1 b112c4ced00c140410a1faf8204772d1fd14abed
SHA256 086e2955bc5dbba52b0ab055bf788bd7852a851a29bf1249dbd134713f04e6f4
SHA512 789f13ba6b98b0b181bbd75f3a099a39d33b43bd6a0172688da570c3087cdbc4975e36e5c40f0f3298648dfb777613b0b2001d6873a2c6bee41e82355d960fd9

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\ar.pak

MD5 5fbed215d9555f2be88e8a41407a0a72
SHA1 744bd7b5276cd4e69a6610d35e3c9e5d62dbe49a
SHA256 5f1b06de1f8105ccebb79651781fc219013048951a6e1b15a2c4f567ee45e88f
SHA512 0c0d2d1d3d07528afecf1862011ce2ddd27c9c286b5edeb03cd80a9ffde584bf0a71ba6292c969e3261a958a9bfddd291746253268479c090f54559720dcac36

C:\Users\Admin\AppData\Local\Temp\nstAD12.tmp\7z-out\locales\am.pak

MD5 99f01e85f82f70b919f3de6a29bc2255
SHA1 bd229bbb9a15d128d3dafb107533ed2b74e0b778
SHA256 fdbbf59c2f6d4e9d6bf8bc7209511850bb337b0a49a25d39779bdd0e105f1682
SHA512 b3b7199f60af430bc98fc937e12b0a2c67b446f0217e01b543882313336f55def3cc6317cf1ef49766ceb1e171e70cbd78e8acecc3cc1c8409e76f4d98d347a6

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\Replace.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\Replace.js

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\aclocal.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\aclocal.ps1

Network

N/A

Files

memory/2508-4-0x000007FEF52CE000-0x000007FEF52CF000-memory.dmp

memory/2508-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/2508-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2508-7-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

memory/2508-8-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

memory/2508-9-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

memory/2508-10-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

memory/2508-11-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win7-20240903-en

Max time kernel

118s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win10v2004-20240802-en

Max time kernel

97s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/sqlite-autoconf-3440200/Makefile.fallback]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3440200/Makefile.fallback

[/tmp/sqlite-autoconf-3440200/Makefile.fallback]

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

debian9-mipsel-20240729-en

Max time kernel

0s

Command Line

[/tmp/sqlite-autoconf-3440200/Makefile.fallback]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3440200/Makefile.fallback

[/tmp/sqlite-autoconf-3440200/Makefile.fallback]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:13

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3092 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3092 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1776 -ip 1776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-22 01:08

Reported

2024-09-22 01:12

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3872 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3872 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3068 -ip 3068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A