Malware Analysis Report

2025-01-22 08:52

Sample ID 241027-qjyl8swkbs
Target MeetseeApp.exe
SHA256 6ac0275ed0a8c1f8ed8ae200282fc90b8d57f1b562ed719c4bf194b5f7ed5762
Tags
discovery execution defense_evasion persistence privilege_escalation spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6ac0275ed0a8c1f8ed8ae200282fc90b8d57f1b562ed719c4bf194b5f7ed5762

Threat Level: Likely malicious

The file MeetseeApp.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution defense_evasion persistence privilege_escalation spyware stealer

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Enumerates connected drives

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Hide Artifacts: Ignore Process Interrupts

Unsigned PE

Browser Information Discovery

Access Token Manipulation: Create Process with Token

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: JavaScript

Program crash

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 13:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20241010-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe

"C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe"

C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe

"C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsoF181.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nsoF181.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

\Users\Admin\AppData\Local\Temp\nsoF181.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

\Users\Admin\AppData\Local\Temp\nsoF181.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\chrome_200_percent.pak

MD5 47668ac5038e68a565e0a9243df3c9e5
SHA1 38408f73501162d96757a72c63e41e78541c8e8e
SHA256 fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32
SHA512 5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\chrome_100_percent.pak

MD5 4fc6564b727baa5fecf6bf3f6116cc64
SHA1 6ced7b16dc1abe862820dfe25f4fe7ead1d3f518
SHA256 b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb
SHA512 fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\ffmpeg.dll

MD5 fa145097e0274da929aacd68c31338ab
SHA1 a999806ef0c15593100e21bc8632d7b1806bac47
SHA256 c8476ee68088d72b9fab25703093df19237d14387016b77f472e10c99c9415ed
SHA512 d4898eed2ea09cb9b1810d783558ee7bf284701734437fbd9e1035138216e1ddbddd77d588a0b722adc5c5fd4a245871537bfb9b168910fc2bffbd6cb78c3c9f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\LICENSES.chromium.html

MD5 1ca87d8ee3ce9e9682547c4d9c9cb581
SHA1 d25b5b82c0b225719cc4ee318f776169b7f9af7a
SHA256 000ae5775ffa701d57afe7ac3831b76799e8250a2d0c328d1785cba935aab38d
SHA512 ec07b958b4122f0776a6bded741df43f87ba0503b6a3b9cc9cbe6188756dcde740122314e0578175123aaa61381809b382e7e676815c20c3e671a098f0f39810

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\libGLESv2.dll

MD5 57c23aa2c39f11528e56a48ea1824036
SHA1 d4fbf180266eb210f8d83360cbbd3804249c60b8
SHA256 ee039e42a4948e9f26ece8515f3c699014fa7803ae597cd3427fa1548962f9af
SHA512 77487060b824cc70b30b30b144b8f174fd08ca6a298fd8c8f45d8417b90b7914a0d135edab39d6a5b2b883d49e9386da382a9ce5c52dc07ecd147f49118efa63

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\libEGL.dll

MD5 5db499ae909083620e47eeea1623b2af
SHA1 bc23303d6885b8f5c3fb84b3fecdf1a678e94a25
SHA256 7bee4e33d89e5a4f2b3bc74d632f7c773ae9a399b6b2ba6d29b1192e25695a8b
SHA512 d656bfa6d59c495d85eee872b372f7fba24f89101c38de1de904ece0d9ffa6eb93de81fdf674efa5ef724ea73188b908b8ad32cfee03c656accb835683929311

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources.pak

MD5 0e69910860463d5045ec257234bd8dd4
SHA1 33c923c33129d1dccf0bb2dcbe8af983a7000444
SHA256 1d241f5d4403a6e802e898c61e4753f8508ae4dda8fcb7750558ec1ecade52c6
SHA512 f6bb7c7b51bb202877739801498522095637caf8a03e2e1f2c6319fede3d3ca656f552061e171ec5e35e176c267fe278c326805d760add1371590bed58e12375

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\v8_context_snapshot.bin

MD5 1e4da0bc6404552f9a80ccde89fdef2b
SHA1 838481b9e4f1d694c948c0082e9697a5ed443ee2
SHA256 2db4a98abe705ef9bc18e69d17f91bc3f4c0f5703f9f57b41acb877100718918
SHA512 054917652829af01977e278cd0201c715b3a1280d7e43035507e4fa61c1c00c4cd7ed521c762aebd2ea2388d33c3d4d4b16cee5072d41e960021b6f38745a417

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\snapshot_blob.bin

MD5 d20922aefcad14dc658a3c6fd5ff6529
SHA1 75ce20814bdbe71cfa6fab03556c1711e78ca706
SHA256 b6bea91727efb8c88e7c059856553d3a47abd883e60dd60efc01b04dc6eec621
SHA512 dbd63a9f01feb3c389c11b55d720b5d689558626041fb1dd27ded2be602e5e2a8d210f785fde025d7b9959f81de3df7fef06981269b58be564df05aec190dd1c

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\vulkan-1.dll

MD5 47af18d68dc7cf271f0a92707f783f64
SHA1 64594e92a1cd7042cf6367b1843abed210db3d78
SHA256 d5df2f59cc8b32abd6178250e7d1370a7f37270cc727449e21778080b5e29cd2
SHA512 2e8fefeccc25e5fcb448fd874f99b8d1466a8148ffe80e1f6ac2105d18bb93e529681ff0ba38e515f52ed4df9ac091fee0782afe5e093fd83c3045a60409fc10

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\vk_swiftshader.dll

MD5 583b1d71cd7b847ba02d734c508cd92f
SHA1 d63966aeafa951d51967620c606e9b97399699c4
SHA256 680ea3717671c896d516517ff322976ab708f18862135be4216a27ad57353dcc
SHA512 cbb0659ccac9344ed9bb151443a30c106711fa1b15234e6f1225ef28a679c6b3f0a24a6ca1d9baff46155c39ff4e08e3ac96e1da32d665be9a5728956012f193

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\af.pak

MD5 862a2262d0e36414abbae1d9df0c7335
SHA1 605438a96645b9771a6550a649cddbb216a3a5b1
SHA256 57670eae6d1871e648ad6148125ee82d08575bec5b323459fc14c3831570774a
SHA512 a789a4cad72106a5c64d27709b129c4ae6284076f147b7c3fcb808b557a3468b4efe3ede28033f981335d5eab986532c0497ddd6ed24b76189fe49366692ee73

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\bn.pak

MD5 c8173f0cc63ca9e02c07abec94892b53
SHA1 2688b199cc40bb2082247fa451eac1304608e48b
SHA256 e6adcfb4f3b3bccd4a27edadc168b503c36551cd6b27fb24043efeb21f691ce5
SHA512 3d2317430722dc15c5d938fa55235af1caa03dcff7a574b44d37d89e7cf2c94dd2e84518b3eeca4a5a8dbec1b99d94aed97429aaf55c63998002d50ce9cb5019

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\de.pak

MD5 141045fc1f94f93e82db06db4f7321c8
SHA1 d63d226c531a710359cb65f4e6aa190f593b4d54
SHA256 47253e2fcf0e4691f29b3ebbe8f888a97b28d6aeaf73ab000857a6b8d0907ff3
SHA512 85c27fdc9a2cb9310bfbb05d0bcd668eb2156a37765d8fb59496739f6f1eae12afcbaadf5eea8f2db2ad8c8a0602f83500bff9cb71a429174a80bee16ec10118

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\es.pak

MD5 d584992a0670c5771147c01266d17362
SHA1 d6e70e43585564d520e4b1777fac0b1e7bc6ed37
SHA256 f6a01c26bc18dcf701e1d4b6ff76602f14c4bb9adf9dd176c9107d5aedb4503f
SHA512 39db436a05955a3ad3b54ace4f2f0e8a313797d3ae8eda9cf1cab6f2ea1edba0a82c30f3b589b8c5399ed06e9fcf4ce9059d3d5a07472f05ab1f0819e42d5b73

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\fr.pak

MD5 59e1e573153a209c56ae3bcb390b898f
SHA1 45f8a5469651c032c453b14bd68c85cdd6c75fc2
SHA256 976622fb851378f57f81423e5625e40d0753d7a5e34caed2c39e4b130a3427b8
SHA512 91f1b88ffb9f3362fbab7d607a68c4ca65e6b89fef7de0c986067ef7fd013c0ce35bce328ff3546cb7aafc296993e46a908ac506bb6a141088cfbc5ead948ba4

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\lt.pak

MD5 edb2c872a4fec5367cbe68035ef0ecc7
SHA1 b4d42bcc83c98dda1ea2ef962d097f6fb3d25c71
SHA256 1bd385b780f3d13d41f8cf782a322e37be889aee273ffde3d8959e0ebcaabd0b
SHA512 dd801a1aac2242e3f532e968b4c9639a2c8bf3eccc17470d9aa8bd6730ae4be3e7276fb782c7908bb6f87d3ade20a40c644b9db5d2201d96d91fd95ebdf429c9

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ru.pak

MD5 9ef6fd52dec5613f9e80204a84c7f2ba
SHA1 fbb8c9db815126fca3c62c810432a71b6965f2aa
SHA256 d0068b9ddf8a9e6a5b1186bd0e00ed9f09224ed56ba7e653e2d54158d938c6f2
SHA512 0fb442ef86f75ca2cf58a677bd25ffb7c420f98250fac7f5f25e2272d4e7dc505a5f3eb3665b62bec189496154b05a1462b6f17a0e9aeafc1517b71e2d813953

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ta.pak

MD5 d50aa6815b63aff8c443622cb8bfd849
SHA1 fd247855e6e428109e7bf2e0018580cc6e0663c8
SHA256 6348cc2d385b9808fdf1b815914dbfb26f552da4d10f85b2613a5e6e9f95b8fa
SHA512 620e2f9ab9998c68d667e32ad9bbfa2569f7a60fbc2a67d7492c6c215af2a1037708e38b4ed7932074d29a140581fe0ffedddb362133a941966044b98eaa50db

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\zh-TW.pak

MD5 1eb532e97b84db33a50055bbd7d36200
SHA1 7aaf0560a16a9754059871a000d237964f3ab0c8
SHA256 6a43c8fac5a0ce7c7a21b30ac7bc2167488e17c81c76c00f0b92b49e9e46e469
SHA512 c946d82bd6ced6e61b35acaf7ace1a61f226c4891caaeeeec9ce4a3ab45e6f43c35dbb388d6d5fa925ed020d7d10f951fa2048269d0585ad3b723f5ad8f4eabc

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\package.json

MD5 3f666835293815069426787fc62541aa
SHA1 ad98724168ee05164b7320656b0995dae0484495
SHA256 b5ac026cd1c999fbe4d28ee0e780bb5064844b8d68c1860dfc31d296d3584d2c
SHA512 435466773cdb9cd1d9d5cf3174386e2b1718e7daf48663b2f5b7f386657d65db532b863a95f31902f6f616dccbf344a2e614eb96f62be5a63aac5ddd620d4b70

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net8.0\Microsoft.JavaScript.NodeApi.dll

MD5 1c45f25f9aa22d8afd96764bc8986cf1
SHA1 9824b9b9d2307ee6842230f8a3e0247c13778260
SHA256 9812e5c3d7073dcce9518ba81956da372f21ff02876ac3499612a384c9ca355c
SHA512 ea5bedae2e4d4a9578a8eeb125f2b839ae3e4f82d7549b18d8fd30eabe0f6c7b165586c459abc2b18f14281f67df1beae9aa9cf2c8e1fff71d18e9ddc16e753f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\resources\icon.png

MD5 a2cf889708d9c4959c6808b4584848e4
SHA1 9b95116c7bb7f367985ff873ca690713b3f68746
SHA256 4363016ccf3541c84ae6a1eee83f507fb2b775aa89b9d6c8163875640267f9e9
SHA512 2f388a8ca8b74338fc7af7ce4e817f2f7517cf49ce55bfa26a44ea73ec0cfbce189c259d577b2e5e66e3af465936df021359fee1bb2b10c95c58f0712e76f542

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\resources\favicon.ico

MD5 b8f09fde0dd3c4866895dd12b2608699
SHA1 7c9bfec394ca804ea54544bc45438da6e5489bea
SHA256 fb2ca5afe1da5dd14c3098764fd6c9d184626eb2e83f61c2b56666ed5d9fc809
SHA512 67bc89c78142e098ff146ecd22435332556812a752cd9634f34d2e269a58589824668315f700013b0424c7b14855043de8598002f36f679685f256cff924db1c

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\win-x64\Microsoft.JavaScript.NodeApi.node

MD5 acf00306c02f0d7c71fb1eccfb8c3a4f
SHA1 f2bc4c5f55b9afa2782d2ef56b7ec101ced8adbc
SHA256 ed4d5390432b5d5015b98ed7798b947c5e2d4d27553ae71f13fc081916dec160
SHA512 90a1b5f325235b80e246fb60819f5f74aa69e846206161970f4e810cc08f6982156e1c4eb2f225c26f6359ad2c215e4b9105e64e8b351e2ea266806c0166abde

memory/1668-756-0x0000000002F00000-0x0000000002F02000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoF181.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\win-arm64\Microsoft.JavaScript.NodeApi.node

MD5 c3afc3e7fbab281c93022d6ba690594b
SHA1 770c2d63f095eb4cafb3b3fe53873f34a2423028
SHA256 d7f245268ce2b31c966e882a5edd597caeb053a1be6ee9a9a9331e57601f74bf
SHA512 06f9370d876d8508e254aa7afcb37f3867215368fdc684484f9e703d9483933c8eade48c7774894fa5a8fa5fe33536c948bb4010ad6ef2596f87cbcc8a7471ab

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\osx-x64\Microsoft.JavaScript.NodeApi.node

MD5 b9c29340e3f69906e903008ab98477cc
SHA1 4a78ee9b21d159baab65699e980f8dd78e7630ee
SHA256 d6b228ebafc53bbb49f867b93dd3ec2e97162e63e3a1c1c022837b36dce5a78c
SHA512 bf44cb4a008810c58da35cb2ed24392c65a0ad16826a15961598dca924516066610ea4ae95f1df70ee5f43f08919af5243705e4c539d6790c77484fe88db8f51

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\osx-arm64\Microsoft.JavaScript.NodeApi.node

MD5 6ef89d81391a29ca0e2f43c41da76a6c
SHA1 83f75cd9d4d057a95be33052769aed0868ae385a
SHA256 299ca3829d7ede84f7f27438a465dc3c259104b19a6214f6fe4676cc028aa5be
SHA512 7e9d804fde16d8b1a634a30f05335ef2d84d6cd8656c111b36c067effba1feb3266d10f14816f789e40cae199c264ed32d71a866c9ac17bd9ebd1eaf532c0ccc

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net8.0\Microsoft.JavaScript.NodeApi.runtimeconfig.json

MD5 4a9c80319d4bc37747761a6941caab5a
SHA1 b03e6b98cd4fc2d59e263f1b58e2b6e0d24ff2d7
SHA256 166640598ac8dcc71749e636c34b6d81aa31dfc7651935192dc20f9130e8b4ef
SHA512 c37b5d989afa317c97a25f0c53117c8c0de707ec354fbeb0c95ddb12233bb127dbe89221d671bc53d5e124f4be3ba2190b8b2d179c7fc8546dd756facf5dd09f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net8.0\Microsoft.JavaScript.NodeApi.DotNetHost.dll

MD5 5ec3e462c142fd322c0033dfc7f9333a
SHA1 fa22dd83de56742fff31bc1ba10d10e730193a13
SHA256 149feff08be265b482eaf130d3ecf95da03409be04bebfc16573685f83d593e3
SHA512 9bcd8d33be764b5df7b9c007199ea7c624c21d95deed017766fcc00146329c1dfe635af2d992cbc86724b0f6fb860add1f105f7cd34cb31f2462c98b12e28555

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net6.0\Microsoft.JavaScript.NodeApi.runtimeconfig.json

MD5 3ec363c040ffe24a45580933ed751180
SHA1 20ea940cbf6c72490e78f06d828d6ba72a9e3c6a
SHA256 2ab9aa68f61132fcf1ca51e62aa96b73df1e786a6c1aa3a42a8bb837d72e5757
SHA512 46b74010a0a8cf26d915a484d0969e7da9e4a5c88c0b1273aa0a318f8216fa07bb60bb14b9e674078257ba39339d9fb595d10dc7a1aa1d63d3cc95cb589eff3b

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net6.0\Microsoft.JavaScript.NodeApi.DotNetHost.dll

MD5 37952be66829f3fd9ec27d988cf34237
SHA1 a22698610ce9c7af712d1d981525606c02e49129
SHA256 b12124a7f06584adf8313542d7280f852008f1a339a29bbbb44df802159fb022
SHA512 bf54bebc5e89412295064589c45971560569e440a689301266f372d10602d07028a46b6ea85c80ec9ddff7b54cf9c62d0cca871da7f0c6e6549ddae6bd14a8e5

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net6.0\Microsoft.JavaScript.NodeApi.dll

MD5 5f30e2d43fef3f2a046ef0da262fa38d
SHA1 fd90efd86834fe2a15554e42a367467e6b5f69ce
SHA256 6c1d4f8da8624d573ed1b4336384d26e1e7b10d66df031f2b6d58f2a83dd7f9f
SHA512 d21af414f331aba8e978046f724c4128901c08cfb06416a62849c37fc39e4696f1a28f835a397db07b241eacfd5113155d4390bfc7daf3ff8ebf4898e848113c

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\System.Runtime.CompilerServices.Unsafe.dll

MD5 da04a75ddc22118ed24e0b53e474805a
SHA1 2d68c648a6a6371b6046e6c3af09128230e0ad32
SHA256 66409f670315afe8610f17a4d3a1ee52d72b6a46c544cec97544e8385f90ad74
SHA512 26af01ca25e921465f477a0e1499edc9e0ac26c23908e5e9b97d3afd60f3308bfbf2c8ca89ea21878454cd88a1cddd2f2f0172a6e1e87ef33c56cd7a8d16e9c8

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\System.Memory.dll

MD5 f09441a1ee47fb3e6571a3a448e05baf
SHA1 3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256 bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA512 0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.runtimeconfig.json

MD5 28fd63c95474cd2a3b0b33e35dcbcb0a
SHA1 9e12936c6fbb8c81759dac2ac1513be9d5354c96
SHA256 7d8e2fb2f6395df8ed535609192f9acca4586a45edb3dc20bb9078b7317ba96d
SHA512 91f5b4d91455ae08158fe6bd9d43cce3e03011f57cc9673f4a999942cf899dec4f3d5b629ac0baba7e911f347d71f671da78563d307749f94cb845034d2e1197

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll

MD5 c51674c3fb7638792162f81cf3e3de65
SHA1 e2c48be8a9ddb3bd03307cf31b1e8315768ed003
SHA256 5a31c693e40cfb72488f97fab198ef150e16a78a52ce50204cc7888f0ac206b9
SHA512 95927f4bd44e6a08bc7f5bf3b1dac8890cca1b3ea5127db9af520a9e9b984c678621a6c89bd3702d910dc7878a0e59e24798357a1b5dff2e74afe56f3e0d74be

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.dll

MD5 c198d70bbf923f7b5a929ad7c78ebcbf
SHA1 c0d86d242233ddd8efa13386359c4cc50e25fe6d
SHA256 afc0c7bbb22589c397b161b19b97cd0abec6065151f28c661d451ba38605ae64
SHA512 6f5cd60789c902a217af21329bd8372ed9f0504c806b7a882b91ac3def67a24ae8cdcbf0ca8efa72a0e433e893729f7cafa54b16f13b93662ea745f1f666ff93

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.Bcl.AsyncInterfaces.dll

MD5 970b6e6478ae3ab699f277d77de0cd19
SHA1 5475cb28998d419b4714343ffa9511ff46322ac2
SHA256 5dc372a10f345b1f00ec6a8fa1a2ce569f7e5d63e4f1f8631be367e46bfa34f4
SHA512 f3ad2088c5d3fcb770c6d8212650eed95507e107a34f9468ca9db99defd8838443a95e0b59a5a6cb65a18ebbc529110c5348513a321b44223f537096c6d7d6e0

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\linux-x64\Microsoft.JavaScript.NodeApi.node

MD5 6f16e6388b2f45613020b18b0b3c9895
SHA1 aa66419ac26540254a29db3281c84c734827f999
SHA256 d76975fde2a7daff7c30d23328ecca54e6aebf8f35a68a0a6be4a0e74c432a37
SHA512 daebe33c54650e98c05bb95ef48851fa3b49dde63def938671181017881a31f305a8971e12cb442b0b2ef8fdebb4b6a0c1b1275e16d04150e8f993ef73c8d3d7

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net8.0.js

MD5 db807a4f6ffd4bee1327dc55e7040d8e
SHA1 76f48029171e04246f7faaeca099574e894de189
SHA256 26d7611e2788fbe809a0fa558d9e35e9a1c352c3610187f4d4a28229f89d223a
SHA512 15be60c794ae4f2770407ad262c8dd262fee6fcf1d04bef5341935ab8642517fe029b9ba2078c43c029a15e740b62a935ae9646b18055c9f4712a9b88af6f3c5

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net6.0.js

MD5 fd765ceb847132807f77234d17eed978
SHA1 89afd27c4daacf742502f24a1a4118c7001c1cc9
SHA256 9f776b65df9efb026b62fd7a0376eed5cb040052c9ec59c37f00c11bce34b92b
SHA512 12a73ef95218a3957507c01dfe00bea7b025eea8a83865fab4f49e5bd5c9774292adf06eec94963b3f747d02679106f86f00e1aa3c564d8aca65ad4913be166e

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

MD5 de4225474d84af0d82b1f4f7393669d7
SHA1 0e66a9dd4192b6612ee8fffe38a01b06c07f5d7a
SHA256 ef2c3b85dedd9a829cb5b76add8ac018ce36d920353046c92da609a50769903d
SHA512 494f0d38dd6bf36f5a8a8df0331a0d22331339aa3b963483699b8e9fa0763ea8c9bbd801bd13e66e8acf7ff522dc4bb6971b6da0a6a6f02d220e01e40204fec2

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

MD5 fc0f66ec13242bb0928b3a211b6eb250
SHA1 c64be5bf3d40bd651e03bacf499179c592a7fe02
SHA256 2f0fddde06ebe3f580f66409e9d4ebea2e2c346f787edf4ab3ca155de85dbee6
SHA512 63e7796cdf2399e084a1fad64db6172e3a688d39745ac1a68a424d3a9aa59ffddb71c6528233ecf164b1ced44f1cd517ff02202e5f594075bb51c64314a3258b

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

MD5 0791fe349ff54274763506f178aa5348
SHA1 47ab28896bc945c39c069daabc520c137529e944
SHA256 29ee7b009c099ff841a39cd6e2d28f7ae98bb673a8eab04c6ca08b905d6f9a66
SHA512 415e264233062d1bbb1ca8621dee6b50edef4d132924094bea28b5d14a3d3290e6b679c47e730425f8de192ce2d60b52d8f191d17dc8a4ab41d7f336e5713a9f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app.asar

MD5 724b63c8db1251fda40113e186f29ed1
SHA1 747796abacf4086ba8019a014102cb32ab016932
SHA256 e6e9873810e22450ca1cc4f537c8196f142e58c5389b23d1fbaf0f3380d0d587
SHA512 6dff8c8d394849dd8fe6102a3f080819c77d100784600fa14d5dccfdfbb6165b362147419bfe2befdb190f4e100e4567138b9fea976899d99d6e7c837fff705f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\resources\app-update.yml

MD5 5ab26d764b9e538c30e528ca22d50cf5
SHA1 b39c4fedef9093ff3d5b0c5cc9c54346ac443fc4
SHA256 5058dc7a797049675e6280cc40f52a6db6c2a75f2db17cf77d20266779a8baee
SHA512 91f5ec99608214e6080e0f22683f2055847ff4d34546af432ea67fcfe2286c67d9c0aef3e75d224bafbbfe0ed9598b7b836cb5802e571aa3481f1be1e1a90430

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\zh-CN.pak

MD5 d1145f2dcb13c5ba797df5a0792553c8
SHA1 e8d9604300d6413fc896d252a0261be2dfdebfbd
SHA256 6a9a1f5b7674da36f20cb76af7e3e75e9e56873539e8a3b32895ebba439af83a
SHA512 f54adffc7d40866fd53dbb238687116d46354f79580877b5d4d93840494e604deaeaeb7e825f6a00d020f3c58d1fb9df8af667feb64c86f243ecab57765623e9

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\vi.pak

MD5 e088be14dded779f50feabc4906d5ae7
SHA1 0eeca2c7ea82a03b6373c84adf1a890f29e18b05
SHA256 25aeee59775ae38b21a091107022312fc228f96dbea906042bf3626b7cf86b98
SHA512 af9d1e415a6d06c28df9abaae1f337bf4dd3e323dfd5560df5fb35d01c6801b9145072ee85ab4c524c489fb6cdea956ce327b8c4f6820197d76fc2f33171ca3d

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ur.pak

MD5 29403f3d5c8f6ae2a768de2fbe8b368e
SHA1 da83015565980ea1a24f5493be6311f06427269e
SHA256 2520ba8471c840aa075075524c4ad2bde10f43fa7a1b623aa14555180ecd30ef
SHA512 a0709280adec39633ca19daf9f8bac6c17a999101246778a63cd9e172dbea2f281b20ce197290c4af6c7601ee7956da42f17e31461a1bd8b8a4bce3c36dc87b7

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\uk.pak

MD5 83e5f0092b6d72403b60fe0e1e228331
SHA1 989ed480b7ef55dfc9ccfbef1a5b9b0e104693d8
SHA256 29d68d90512ee9952635c7e074d5ab210531d93ae24c11a8f91bca20b685e9a2
SHA512 9895928ee516db7d4395b2788135a814031b9ba45e3a837e633bc253b08d6f380e4078d4d3fd51ae37502a39ff45a0166969fb62365e890f4960a51040b20941

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\tr.pak

MD5 193f0c0a8218f05657e2590ea4ee6004
SHA1 dd3ffd7f67f72de879903a231271c20aee56f695
SHA256 676d46d19d1673eeff4f5e908aec3b53a6273c440e69e7d655ced6c70531cb9a
SHA512 28606d710d44c9a82c2849fa5ef989bac1afab53cdea99a825f80aa41dbd38a9ad6f0f44935f45439922ca2bdddc89c61f8ffcb999aa13fa45558551d5216e1d

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\th.pak

MD5 a4d1594635d26330ace7054bc025b76d
SHA1 bc4874a6a3b1d1886f05858ef2f653ab3520451c
SHA256 f06a45f0395c3e42e42c46de2c19a2a104661b47be6f9ee97f8c68b05706ef1e
SHA512 731485b139ba0ed80dac5e582ec36f53a805a867ad33551741b805e851a9d2356fb1894232395d4fdb200defc988bcf6d51e58834b542c398c1012e389953a3d

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\te.pak

MD5 d262c33a8c2b4949dff36cc1980e5f05
SHA1 e1ad725c388c4a1a386b4ab6170601863c943c29
SHA256 09ab1ac2b69f868539d4f2e59dfea8c3c2f418a5455777e4c91d13c5ee55ab4c
SHA512 0202f6ac32878926422d542ea96b0bcf8b168f8ec6b928121c368711856fd5f4781a24b15851cdb5892246b355d0dd37504d4599b24e9fe8a723b8dfbfeed29b

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\sw.pak

MD5 9808a9df2da0844b1ce1a2a4213c48d0
SHA1 541f24f006ddb3361ff1e5015f097ab799120fc4
SHA256 1949953d638f266ce74d84c020174c074780166b880e7c2ec38bc6047bbb8ecc
SHA512 66b256e02ce11ea0273cc5bfa78e56faf8b250208d1e868bf4af77cbefd1c891708573d63873a5d02436f884544a6550176afcd3a8220cd35d64b88987e94404

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\sv.pak

MD5 a813b566c9e630910e6ca946defb7202
SHA1 2e25d2479715a572c096ce19b8dfd7a6da5339eb
SHA256 48a71912e4843b03358fede7176b2e57ced83d3a1344a92b989886374dbded62
SHA512 b348404135e147cef93c246c826107f9df170b294e9d0cbf576d2812d0ff3d2b7794ab5aba55cf729fcf7135a495d2ff591db62fa61e2998290ff02538a0e48c

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\sr.pak

MD5 5d70a218b7dcccab0406fa9239ef800b
SHA1 cd231758f84a0d56545d0a234a58757a18a58d0c
SHA256 a2bc6b064ff1f7b15707f61bd76ddd9d889bd982c4182e9e74272d39c6235c85
SHA512 ef6f71e0d9782b5ed6706d9226c1a7fb5a4323b8dc8de25737c7dcca87d04c16b545372127670de312079be993823f565de1aaaf5ad833bec5baa0856c19b0f3

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\sl.pak

MD5 ff14d5f9484350396780bea7f3bc64ec
SHA1 de097f12b70b552824de69141d6ee1969275eca4
SHA256 b174c4c49654f7d65d223568c700bfaace74238447ae63171787236ce2aab00e
SHA512 011bcc3980d21e0900d1da334a28b72623b22b527a4fc3d96a8f78fb055dc87cd1433a63d8b4414a0a86cf2ded5833a395214910b17433a0545e04d1ce4875b8

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\sk.pak

MD5 fd001b1b02597bbf16baf3f0baf3c6e4
SHA1 e4c703fc115e02833fe08caab1e62775b5812473
SHA256 f9cd222838721a618c23c8f6493bc9699c795c0063998f1a8d506b4b7a297cdc
SHA512 0ee991da6b8ba1bcc3cc27abc645af43bb93edddbf182496aafeeb401d71ae10716335ee0197f1987c21b3abb441aaac968b9a76e75ae77fcba4cc48847f5b1d

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ro.pak

MD5 938e62fca60d7b54e9c54cdd1f745f06
SHA1 5a61a1ef3ae855ff436c5d7f45b6ec271a5228aa
SHA256 82e69f505222125ea62f8e90d8030d82a1bd49871192cb4274a8fd9d0e03d577
SHA512 d3f43881fc951c961cfb34babaa6eba2aa9175865dc07542dc529ab1c11d15703c03a7e8193c004b004d13f0a0672bccb2fcdd1cd88f32add159c337281d6d5f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\pt-PT.pak

MD5 4816d83e54beaa2f94c671d56361c04e
SHA1 5cae66c0b7079d778ac87ad48777afd85b172d2f
SHA256 a903ca2a8e52f987e23d040de7403b58d925a6c39668d3bc0822fb2aadd34cb1
SHA512 0d3a39e1205ce9366818cb51d38db035b80448dc1e2d2d6bbd7d5df693641582043b45b4a78bbf2334159616187dc85a51e623bb6878b1498d9bc7acd2a6ffab

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\pt-BR.pak

MD5 8dabbceb430a6bc190ee344541fa8e2b
SHA1 44c7da04bac8c9ee67c8d6a0eeb491cf7ffd2479
SHA256 6d54f87f6c8b5e01bd0da9a961236344e95e85c3dc55fc92a34542777d6f6275
SHA512 4d36d527f1769501d1fce208738028d5ba142716a6243798212d5a2403dc5c950dcb3399e571cf3a11b1f35d845a6ba6798c38074d0ed66c894b1c18ab800159

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\pl.pak

MD5 7b5d41611b92b24ec8b36b66feb11f9a
SHA1 3d6c36f404c29d59a24970585931860453f5c88a
SHA256 69e16e41f5fe7fa18557b938874f20cda6879f3cc616ead9a815c1381fe94158
SHA512 16ba52cc799132e4525d220ed595d3969d4cecf163ccea6b62fe2211003b0cc44090c4d384e9cc4e32800181b7f7e0810da5a0d2c908f4625ff8382cfa3c177e

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\nl.pak

MD5 b525894276852be4ab42ab7044fa164f
SHA1 d3d035522265718def8125f5c4a1d3e74832dc2a
SHA256 c7a18764ca908ec7f66c48cae2be06fef95213d7a5580b45f9bacee474456167
SHA512 36b11f1df92df27b007fd640b589c6b7b30cd889bc297635bdaa40bfcb4332ff20911edfd23ce74c1c8963dd658f77bf4b9af50d3c281717f58eb23a598783bc

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\nb.pak

MD5 bf9bfdfab1479bb52254329d7aa229ff
SHA1 cd9ff35321731b839ea6e5f31f5de0bfb475666b
SHA256 96747543d9b2dbfb4482d4c24d7818d366545b2476633ad4fec8cc958ab760d3
SHA512 ba8e62d0a87c532ff46f2129724dd2f1bfdebd99c2606e0b9608cd07841776faeca15d04ec6241020c232d4c07809d718f40cf4ad9231d6a8996d55973486629

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ms.pak

MD5 d22cfc1b78320157685839f14253fa1d
SHA1 0cfcb5c176d708e26bbca2427be611ce6609eb93
SHA256 c7b56e9ca2f75b4414c13144ff4deee1459c2a7cde79730d863ab234cd4c2f8b
SHA512 2eed40c50a63e362dfe2f172d16e4545f5b19c673e71db674bb004e4e6a4cf793ed4a44ee80d86b05aaa6cc4356c207476afdedc2b35017421ea9b9fa6ebc81d

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\mr.pak

MD5 f26bc5673e02a93212220d71cf1bbac2
SHA1 8d0ab40fc2b35b75f99538951acfbf6a348c73a3
SHA256 0877f2e75e0b9f5e709f0a0bf7cc793a02ff5bbb28bd6a8b6b6012760c1bbff3
SHA512 9f3a629dfa116cd92892d120f0fdecc5f57043dad232311bdc8c218ae9317f49e655b8b8dc8399639231f2321013190a667d22b6b2735bbcbc375c438dce9aaf

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ml.pak

MD5 b690b0f01954735e1bcea9c2fb2ac4e4
SHA1 8d98860e202b15a712822322058e80a06c471bb8
SHA256 83d187cd70048f4129fa65ba148c74a04a47ee1f14218e7c85b36fe83e87b5e3
SHA512 786f08019a0917d0b3f29aa2d1885db6a6f995990fd8faaf41a9630f8347b4d210a844cc6690a41b4af37d60e11f41fd2675df1a01bab5915e20cd9bc69b4541

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\lv.pak

MD5 393c296fabe0c4c64a7d6b576d7d2cf7
SHA1 16c0605e5829cde9738e1cd3344a59b74fa1f819
SHA256 91642c04de64f88a5c49b4eeaf5d627554e60d56fc40e7cd58cd2601b0d3dbf2
SHA512 067cccb059d4526c104880a26ebf04c7e2498c49c5641abdc91785e859bc0be1475ec58cae9ad1eb076f26fb9215ac246155e123baa13c06a05e4f22a002c2ad

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ko.pak

MD5 cd2310448ba6689cc73d0b2e6dd2791f
SHA1 7827179d3fb98a5abc2ad38e20d942b83b397235
SHA256 cba6b7633cce796407821264e176a6266f80c1799ade16bf16893d68144236c6
SHA512 c3069bab640ae43856330bb8b3a0e0a4ca058a68a0fc03b8efc0ce1dc2b517f11380fbc641221e29b4a527d685ece72107fb83cdb9b539390eaf6a30c21bf36d

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\kn.pak

MD5 59e6642f09ce97cfa4a4173413a1b036
SHA1 777a96a4aefbe138f26c8697e66633452285eb2c
SHA256 58d16195170f76e40e18ee0ac2e10e1b73bcfd083821158927a7d67a51bcbc42
SHA512 66deb67a4ce1914f5f27bb6423e5be62e05d0a36320accbe653572a437ce033ed5d26858a62d8c57476b34e1718d580f34ab44a3886d8d22d17f642d70f0138e

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ja.pak

MD5 dfd5ab27c326a1e1f87943a3079a2af2
SHA1 3aaa73a6668e1249e4d51c8fa8e0c6868fde9da6
SHA256 8260f4c9500b64d541386a8515fd0c9ddef82e3f044951b7b51a33ad81c1128f
SHA512 d701674fb6e19bcdf297b19a9fe3b81c7f446019a8c2fd3e90e19294765b1e8ad4f0e40e4bac65b2db313a4f83eb050b5871ee4d74f9ea372208b7abd76c524f

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\it.pak

MD5 e0e5580e8882f0eae4b5b21e6c7828d4
SHA1 51e32e51458b5839112ed9dcaf500403c45ac1cd
SHA256 a7f555e7e797e1de1a66cfca8c7b709b0e542ca62e7de96e034701fcef316d0c
SHA512 1a2a4948a5538158e6dab7ca7b3b780ec7a66a0aadb889fd451e07b32336ea08b88b5d57759e335fa967f3b4bb1282e952b97e496d798758159c70eed2e5acb2

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\id.pak

MD5 6a406a9adb5c25e35c6838828ef30c17
SHA1 2a1ea1dcb75217ace04254644845cd038df6a980
SHA256 af63384cf7d1d39e57decd823dff7538ab2b1e7e36e9ac61238477f7889d1d46
SHA512 ac7afa288b768a730027db0780b0f7c9f42ef990e4e22751ef1dc85e4841579a6e252293fb04d61b0cb591ccaa5c74d37bbd380afa15308c80ea32070019a361

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\hu.pak

MD5 0b62fc2b60b8a92dc506550339766139
SHA1 abf0b1ae99ae40d87f86ee04bdba467674fc1039
SHA256 6ca150d0fc35492bafb411bbc520f3b34da6399969fa9685ae74201623882560
SHA512 aab6058e2f41282ac5a9394cdcd503efdeb6b9eb8b9a64cc1215e31a806e60a34966b6823f91a97bfb81656d91ccfef3a226165811e6f4208fa436e1d04c1242

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\hr.pak

MD5 d80178f9df2b72a24a7dc58b5aa13229
SHA1 cda864bbfc6935cb4e3e30a6eaeabbab5264d01d
SHA256 e442d083c32d752d1ef2225d84a4f1a91efab768e86fc63a7ed22c10fbf7e520
SHA512 c08380fc0c415a529a035e6e9c0eebc719766c656a3d9e3a782f21b4fef320688e1d11de8c3a5d0e59a102c9fbadcc960478a17c534500e137f4cb0e697ec9b9

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\hi.pak

MD5 18bdd1d8d1d5c6a5fb2678abaa1ef6a9
SHA1 e40602e86e758a518ec70bb6a9cfa23107955301
SHA256 1f49622ec6682c90e03fc42c319074565cf9d3532a2a4e3798e2f6cc159b2e8a
SHA512 c859118e7c1be0642ba9bb1112a98a8fa7114a00711f578971a55aab7254b1ee9bb3899c852b79a002596f29e02f487267aca7033e38cbfd14c90b2989b9595e

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\he.pak

MD5 ec16b50e6575cd6863df282847cac3b0
SHA1 a59e089951c3a5dcfac165774c68651055b829e0
SHA256 c3955c97b6998f1806f8871fd3137f6f504bdd091f8bd1ff5ab8cd089474ae8e
SHA512 3c640430e3391be156aab26f6057e966348dff50ea946a02db947e2316d3a915c29f329faa26725a90af4d06ead7c7fc28cfa7573033b2b9546fd8e4d2bb7ab1

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\gu.pak

MD5 a9e6d8e291ffec28551fccf4d1b06896
SHA1 adc9784433fbf2ee89bcfe05baea21beb1820570
SHA256 716ea0433e19edb5113dc8a25ae67c2587bc17c7fb63a93ac473bdcef8f72d34
SHA512 3a60002dc6a9008cac78bbc050fc36d1053bfbd21ecf4d0579b2780985d4e7a7aec94483d8b0b8dd7a899b8435d54a27bba68917a23945431183eda021722697

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\fil.pak

MD5 cbb431da002cc8b3be6e9fe546cd9543
SHA1 19fbf2715098fc9f8faba1ac3b805e6680bbcca4
SHA256 ab107369d45e105a4cb4f2f6bc8da2a8c1b6c65d5e94a7ab3e703e619c083dae
SHA512 3cabbfd021e5814587dad266c4f5c9f624e9d9278f22658dafd65ff2ad2bdc5f6df8a8672614b296cea826819211e12f8e77f183007c0a79075e2f0980b99911

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\fi.pak

MD5 a9fc339d49ea069bd81380ae1fa0ef11
SHA1 5f376072f38e94e252d72c5660d8120a41d73469
SHA256 e6454458dfbe150112c37f8b02f8c72c593af22e8be16980ebc854ad113fb763
SHA512 3bee6723485a9eae4aa9bfd4e7fb490ce7a0aa12cbe41443b8bd28a26fe552cd31f4a1487bd98c6bc7774df1ea16b1de94ed0f52af59baf9e17b3db815404c4d

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\fa.pak

MD5 e2bee9eeeac231de237100fae0aa77c7
SHA1 5e5eeb59656e2f8f4f62bc618966d38cc06a385b
SHA256 7a856070430e3cfad15b96b153b1cb483cca9a1b9a43453df3707b09c748a3f2
SHA512 5593c4a48e679f0f6283c3bca69838f581b6f928cc7170737778458393b6b85fab0e6ca390bc5da840f4b79de9e638015bf341c1a95e8f99770886f5354ecff6

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\et.pak

MD5 e7ea23d6304d5d600d884f4e3b3cb2d7
SHA1 99fbef7eb1bde7df398cce9faf6c7c357769334a
SHA256 292eb18ec61502b0e952b447f73a66143c56dd95f170981945e5aab53a6b32b3
SHA512 23dfa1161d11faf440241b1f48f2ddbc8ec086a8e18da351734656551f0f54fe4c94b490c0d3ecc378a3de7f7713a1626a7a6c21da2500b9597b44fd08197d50

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\es-419.pak

MD5 088de6d12071ea5cf8d4a618ed45e7d5
SHA1 f12a76d18b84b17906f5f8cfc78cbb370b026b09
SHA256 d1019c780e836e0c30fe01928d23ecdd0ca04ed8ee886adb3428e3683e4ed6ea
SHA512 8da7326cf99cce53d7ccbec0c177ff9cf6dc0009431d6c89b3e8f0475bbcd0dac4c888460b535c1070ced62f1bf1c614bb0fbe9c5583e66c42f30d6e025ed7d6

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\en-US.pak

MD5 809b600d2ee9e32b0b9b586a74683e39
SHA1 99d670c66d1f4d17a636f6d4edc54ad82f551e53
SHA256 0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb
SHA512 9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\en-GB.pak

MD5 a1aa885be976f3c27a413389ea88f05f
SHA1 4c7940540d81bee00e68883f0e141c1473020297
SHA256 4e4d71f24f5eea6892b961fcda014fc74914c1340366f9c62f0535e9b94ae846
SHA512 8b6d67e09fbe7a2152a71532a82c1e301d56cdde34b83a9f17d9f471e258b255d5b2d4a0c39f38581da3a31cec24fb403156a8e493560d7206e1ec3db7e68b72

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\el.pak

MD5 16bcd10bc81dd8a5b3ad76c90cfb9614
SHA1 240395860971fb9205d28602d4d4995007ee5c75
SHA256 6a06d1d6b566214f7c3b693052beec488f7aae5ceeca26781a5d66fade39388b
SHA512 353a26b21848f4dd30b3aa1f4196b23571e177893ec6912db4570493664ed987e688fd66c04e509ecc58233476ebe59453260bc3569136f275fcd681ae54a174

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\da.pak

MD5 0e4207e2cf5741a8968617df9174a681
SHA1 bf9b7558141ad30bbc921992e48d48cd6d6ab475
SHA256 438d2b1fd396c2108ca3902f69eeb372219edd5d95fe70970d8ee9e64556c9a4
SHA512 4ed8368013912c408f7e5f7b4f6f1748834e5506307b92f4b669c557efd27363a55b4e2918eb7707e798878c9492b765f24ab9c90e843f54e8641c4646bc72da

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\cs.pak

MD5 70f320d38d249b48091786bd81343afc
SHA1 367decdcdad33369250af741b45bdc2ca3b41ab3
SHA256 1c9448ea3aefce1a7e1491e73af91af772d8b22d538676a2beab690558e668fa
SHA512 02b08ed9261fd021e367995551defaf4b4f54c357409a362f4d2470423644913375cac444f62153ec2963a84880a30a36f827dbfacdd76a6222838c276cf5082

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ca.pak

MD5 d193a3ac614f64f4754c9df5cf00e880
SHA1 0da0f7c1a4048074f6fe9d70704aa93ff75e42f9
SHA256 4ecfa3785ab52564e0bd7dda04d59a30163561588a04f3bd1b1b71de051d2c53
SHA512 e85d18951f9a1a86514d577f9b19a4b3727523c15b4ccdd17217f6fdf69a0e774a36874108a05de1be3dcee1720b0cb19eced2d3283f57f41f5f9c5e233e1c68

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\bg.pak

MD5 0e8005b17ac49f50fb60f116f822840d
SHA1 f2486da277de22e5741356f8e73e60b7a7492510
SHA256 50e4f6b9c387adf4baba3377c61d99326cc3987928d8d60b88d1ac29352820ea
SHA512 5df18bbeabd56e70d4c5a80dee5b7ce48259000665941634937e556e3b3a1c6403aa45c410f6f755607549c9dd35d722987b447c50efca51228ffeca4628756d

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\ar.pak

MD5 2b2dfafb0d258c1d2b58e51ae1ee9ab5
SHA1 2a538491ff4023d29bdf2a053447c6016138d9f2
SHA256 ea49bc2ceb6b185030eaa0ee0155feca90e632390417299113b02fbe365ff731
SHA512 6b629ed83edfea1b1ff3c379009332e413c420de651a24160fae859e1e0948fbebab99c9da714df6dfad3b9e472dece7bee95815ceca428183f4ac0bd6d42ff3

C:\Users\Admin\AppData\Local\Temp\nsoF181.tmp\7z-out\locales\am.pak

MD5 4eaa15771058480f5c574730c6bf4090
SHA1 2b0322aae5a0927935062ea89bd8bd129fa77961
SHA256 b05dcb8136751aee5eced680a5bad935e386bfce657dd283d3ec00ee722fd740
SHA512 b67e7dd24eadc91d4cd920f8864cfb23a9c67b2cecd54ec97e01705636604ce504dc417d6af1c53f374b58eddf71a12bb82248bd8fd68307161d4833342681a9

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3604 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3604 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

133s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/node-api-dotnet/linux-x64/Microsoft.JavaScript.NodeApi.node]

Signatures

N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/node-api-dotnet/linux-x64/Microsoft.JavaScript.NodeApi.node

[/tmp/resources/app.asar.unpacked/node_modules/node-api-dotnet/linux-x64/Microsoft.JavaScript.NodeApi.node]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20241010-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:23

Platform

win7-20241010-en

Max time kernel

121s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

161s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.Bcl.AsyncInterfaces.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.Bcl.AsyncInterfaces.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 3596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 3596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 3596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateMC.exe C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateMC.exe C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UpdateMC.exe" C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4544 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe
PID 4544 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2184 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4544 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 3372 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3372 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4544 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 4248 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4248 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2504 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3436 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4544 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe C:\Windows\system32\cmd.exe
PID 5012 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 5012 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1504 wrote to memory of 3016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe
PID 1504 wrote to memory of 3016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe
PID 3016 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe C:\Windows\System32\Wbem\wmic.exe
PID 3016 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe

"C:\Users\Admin\AppData\Local\Temp\MeetseeApp.exe"

C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe

"C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe"

C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe

C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\meet-app /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\meet-app\Crashpad --url=https://f.a.k/e --annotation=_productName=meet-app --annotation=_version=3.7.482 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.3.3 --initial-client-data=0x514,0x510,0x53c,0x51c,0x544,0x7ff76a844688,0x7ff76a844694,0x7ff76a8446a0

C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe

"C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1880 --field-trial-handle=1884,i,15053666787394241611,12788305586472454363,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe

"C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2164 --field-trial-handle=1884,i,15053666787394241611,12788305586472454363,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe

"C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.meetsee --app-path="C:\Users\Admin\AppData\Local\Programs\meet-app\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2516 --field-trial-handle=1884,i,15053666787394241611,12788305586472454363,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process "C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe" -Verb runAs -ErrorAction SilentlyContinue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process "C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe" -Verb runAs -ErrorAction SilentlyContinue

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe

"C:\Users\Admin\AppData\Local\Temp\temp032412423CaWqU\MicrosoftRuntimeComponentsX86.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" csproduct get UUID

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe' -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"

C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe

"C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe"

C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe

"C:\Users\Admin\AppData\Local\Programs\meet-app\meetsee.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2536 --field-trial-handle=1884,i,15053666787394241611,12788305586472454363,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 deliverynetwork.observer udp
US 104.26.12.205:443 api.ipify.org tcp
DE 199.247.4.86:443 deliverynetwork.observer tcp
US 8.8.8.8:53 meetsee.gg udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 86.4.247.199.in-addr.arpa udp
US 81.28.12.12:443 meetsee.gg tcp
US 81.28.12.12:443 meetsee.gg tcp
US 8.8.8.8:53 12.12.28.81.in-addr.arpa udp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 81.28.12.12:443 meetsee.gg tcp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:443 dns.google udp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 213.62.120.34.in-addr.arpa udp
DE 172.104.133.212:8080 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 o4506972866674688.ingest.us.sentry.io udp
US 34.120.195.249:443 o4506972866674688.ingest.us.sentry.io tcp
DE 199.247.4.86:443 deliverynetwork.observer tcp
US 8.8.8.8:53 212.133.104.172.in-addr.arpa udp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 127.0.0.1:2342 tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Programs\meet-app\chrome_100_percent.pak

MD5 4fc6564b727baa5fecf6bf3f6116cc64
SHA1 6ced7b16dc1abe862820dfe25f4fe7ead1d3f518
SHA256 b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb
SHA512 fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\chrome_200_percent.pak

MD5 47668ac5038e68a565e0a9243df3c9e5
SHA1 38408f73501162d96757a72c63e41e78541c8e8e
SHA256 fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32
SHA512 5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

C:\Users\Admin\AppData\Local\Programs\meet-app\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\ffmpeg.dll

MD5 fa145097e0274da929aacd68c31338ab
SHA1 a999806ef0c15593100e21bc8632d7b1806bac47
SHA256 c8476ee68088d72b9fab25703093df19237d14387016b77f472e10c99c9415ed
SHA512 d4898eed2ea09cb9b1810d783558ee7bf284701734437fbd9e1035138216e1ddbddd77d588a0b722adc5c5fd4a245871537bfb9b168910fc2bffbd6cb78c3c9f

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\libEGL.dll

MD5 5db499ae909083620e47eeea1623b2af
SHA1 bc23303d6885b8f5c3fb84b3fecdf1a678e94a25
SHA256 7bee4e33d89e5a4f2b3bc74d632f7c773ae9a399b6b2ba6d29b1192e25695a8b
SHA512 d656bfa6d59c495d85eee872b372f7fba24f89101c38de1de904ece0d9ffa6eb93de81fdf674efa5ef724ea73188b908b8ad32cfee03c656accb835683929311

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\libGLESv2.dll

MD5 57c23aa2c39f11528e56a48ea1824036
SHA1 d4fbf180266eb210f8d83360cbbd3804249c60b8
SHA256 ee039e42a4948e9f26ece8515f3c699014fa7803ae597cd3427fa1548962f9af
SHA512 77487060b824cc70b30b30b144b8f174fd08ca6a298fd8c8f45d8417b90b7914a0d135edab39d6a5b2b883d49e9386da382a9ce5c52dc07ecd147f49118efa63

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\LICENSES.chromium.html

MD5 1ca87d8ee3ce9e9682547c4d9c9cb581
SHA1 d25b5b82c0b225719cc4ee318f776169b7f9af7a
SHA256 000ae5775ffa701d57afe7ac3831b76799e8250a2d0c328d1785cba935aab38d
SHA512 ec07b958b4122f0776a6bded741df43f87ba0503b6a3b9cc9cbe6188756dcde740122314e0578175123aaa61381809b382e7e676815c20c3e671a098f0f39810

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\vulkan-1.dll

MD5 47af18d68dc7cf271f0a92707f783f64
SHA1 64594e92a1cd7042cf6367b1843abed210db3d78
SHA256 d5df2f59cc8b32abd6178250e7d1370a7f37270cc727449e21778080b5e29cd2
SHA512 2e8fefeccc25e5fcb448fd874f99b8d1466a8148ffe80e1f6ac2105d18bb93e529681ff0ba38e515f52ed4df9ac091fee0782afe5e093fd83c3045a60409fc10

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\vk_swiftshader.dll

MD5 583b1d71cd7b847ba02d734c508cd92f
SHA1 d63966aeafa951d51967620c606e9b97399699c4
SHA256 680ea3717671c896d516517ff322976ab708f18862135be4216a27ad57353dcc
SHA512 cbb0659ccac9344ed9bb151443a30c106711fa1b15234e6f1225ef28a679c6b3f0a24a6ca1d9baff46155c39ff4e08e3ac96e1da32d665be9a5728956012f193

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\v8_context_snapshot.bin

MD5 1e4da0bc6404552f9a80ccde89fdef2b
SHA1 838481b9e4f1d694c948c0082e9697a5ed443ee2
SHA256 2db4a98abe705ef9bc18e69d17f91bc3f4c0f5703f9f57b41acb877100718918
SHA512 054917652829af01977e278cd0201c715b3a1280d7e43035507e4fa61c1c00c4cd7ed521c762aebd2ea2388d33c3d4d4b16cee5072d41e960021b6f38745a417

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ar.pak

MD5 2b2dfafb0d258c1d2b58e51ae1ee9ab5
SHA1 2a538491ff4023d29bdf2a053447c6016138d9f2
SHA256 ea49bc2ceb6b185030eaa0ee0155feca90e632390417299113b02fbe365ff731
SHA512 6b629ed83edfea1b1ff3c379009332e413c420de651a24160fae859e1e0948fbebab99c9da714df6dfad3b9e472dece7bee95815ceca428183f4ac0bd6d42ff3

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\el.pak

MD5 16bcd10bc81dd8a5b3ad76c90cfb9614
SHA1 240395860971fb9205d28602d4d4995007ee5c75
SHA256 6a06d1d6b566214f7c3b693052beec488f7aae5ceeca26781a5d66fade39388b
SHA512 353a26b21848f4dd30b3aa1f4196b23571e177893ec6912db4570493664ed987e688fd66c04e509ecc58233476ebe59453260bc3569136f275fcd681ae54a174

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\de.pak

MD5 141045fc1f94f93e82db06db4f7321c8
SHA1 d63d226c531a710359cb65f4e6aa190f593b4d54
SHA256 47253e2fcf0e4691f29b3ebbe8f888a97b28d6aeaf73ab000857a6b8d0907ff3
SHA512 85c27fdc9a2cb9310bfbb05d0bcd668eb2156a37765d8fb59496739f6f1eae12afcbaadf5eea8f2db2ad8c8a0602f83500bff9cb71a429174a80bee16ec10118

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\da.pak

MD5 0e4207e2cf5741a8968617df9174a681
SHA1 bf9b7558141ad30bbc921992e48d48cd6d6ab475
SHA256 438d2b1fd396c2108ca3902f69eeb372219edd5d95fe70970d8ee9e64556c9a4
SHA512 4ed8368013912c408f7e5f7b4f6f1748834e5506307b92f4b669c557efd27363a55b4e2918eb7707e798878c9492b765f24ab9c90e843f54e8641c4646bc72da

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\cs.pak

MD5 70f320d38d249b48091786bd81343afc
SHA1 367decdcdad33369250af741b45bdc2ca3b41ab3
SHA256 1c9448ea3aefce1a7e1491e73af91af772d8b22d538676a2beab690558e668fa
SHA512 02b08ed9261fd021e367995551defaf4b4f54c357409a362f4d2470423644913375cac444f62153ec2963a84880a30a36f827dbfacdd76a6222838c276cf5082

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ca.pak

MD5 d193a3ac614f64f4754c9df5cf00e880
SHA1 0da0f7c1a4048074f6fe9d70704aa93ff75e42f9
SHA256 4ecfa3785ab52564e0bd7dda04d59a30163561588a04f3bd1b1b71de051d2c53
SHA512 e85d18951f9a1a86514d577f9b19a4b3727523c15b4ccdd17217f6fdf69a0e774a36874108a05de1be3dcee1720b0cb19eced2d3283f57f41f5f9c5e233e1c68

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\bn.pak

MD5 c8173f0cc63ca9e02c07abec94892b53
SHA1 2688b199cc40bb2082247fa451eac1304608e48b
SHA256 e6adcfb4f3b3bccd4a27edadc168b503c36551cd6b27fb24043efeb21f691ce5
SHA512 3d2317430722dc15c5d938fa55235af1caa03dcff7a574b44d37d89e7cf2c94dd2e84518b3eeca4a5a8dbec1b99d94aed97429aaf55c63998002d50ce9cb5019

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\bg.pak

MD5 0e8005b17ac49f50fb60f116f822840d
SHA1 f2486da277de22e5741356f8e73e60b7a7492510
SHA256 50e4f6b9c387adf4baba3377c61d99326cc3987928d8d60b88d1ac29352820ea
SHA512 5df18bbeabd56e70d4c5a80dee5b7ce48259000665941634937e556e3b3a1c6403aa45c410f6f755607549c9dd35d722987b447c50efca51228ffeca4628756d

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\am.pak

MD5 4eaa15771058480f5c574730c6bf4090
SHA1 2b0322aae5a0927935062ea89bd8bd129fa77961
SHA256 b05dcb8136751aee5eced680a5bad935e386bfce657dd283d3ec00ee722fd740
SHA512 b67e7dd24eadc91d4cd920f8864cfb23a9c67b2cecd54ec97e01705636604ce504dc417d6af1c53f374b58eddf71a12bb82248bd8fd68307161d4833342681a9

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\af.pak

MD5 862a2262d0e36414abbae1d9df0c7335
SHA1 605438a96645b9771a6550a649cddbb216a3a5b1
SHA256 57670eae6d1871e648ad6148125ee82d08575bec5b323459fc14c3831570774a
SHA512 a789a4cad72106a5c64d27709b129c4ae6284076f147b7c3fcb808b557a3468b4efe3ede28033f981335d5eab986532c0497ddd6ed24b76189fe49366692ee73

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\snapshot_blob.bin

MD5 d20922aefcad14dc658a3c6fd5ff6529
SHA1 75ce20814bdbe71cfa6fab03556c1711e78ca706
SHA256 b6bea91727efb8c88e7c059856553d3a47abd883e60dd60efc01b04dc6eec621
SHA512 dbd63a9f01feb3c389c11b55d720b5d689558626041fb1dd27ded2be602e5e2a8d210f785fde025d7b9959f81de3df7fef06981269b58be564df05aec190dd1c

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources.pak

MD5 0e69910860463d5045ec257234bd8dd4
SHA1 33c923c33129d1dccf0bb2dcbe8af983a7000444
SHA256 1d241f5d4403a6e802e898c61e4753f8508ae4dda8fcb7750558ec1ecade52c6
SHA512 f6bb7c7b51bb202877739801498522095637caf8a03e2e1f2c6319fede3d3ca656f552061e171ec5e35e176c267fe278c326805d760add1371590bed58e12375

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\en-US.pak

MD5 809b600d2ee9e32b0b9b586a74683e39
SHA1 99d670c66d1f4d17a636f6d4edc54ad82f551e53
SHA256 0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb
SHA512 9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\fi.pak

MD5 a9fc339d49ea069bd81380ae1fa0ef11
SHA1 5f376072f38e94e252d72c5660d8120a41d73469
SHA256 e6454458dfbe150112c37f8b02f8c72c593af22e8be16980ebc854ad113fb763
SHA512 3bee6723485a9eae4aa9bfd4e7fb490ce7a0aa12cbe41443b8bd28a26fe552cd31f4a1487bd98c6bc7774df1ea16b1de94ed0f52af59baf9e17b3db815404c4d

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\he.pak

MD5 ec16b50e6575cd6863df282847cac3b0
SHA1 a59e089951c3a5dcfac165774c68651055b829e0
SHA256 c3955c97b6998f1806f8871fd3137f6f504bdd091f8bd1ff5ab8cd089474ae8e
SHA512 3c640430e3391be156aab26f6057e966348dff50ea946a02db947e2316d3a915c29f329faa26725a90af4d06ead7c7fc28cfa7573033b2b9546fd8e4d2bb7ab1

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\gu.pak

MD5 a9e6d8e291ffec28551fccf4d1b06896
SHA1 adc9784433fbf2ee89bcfe05baea21beb1820570
SHA256 716ea0433e19edb5113dc8a25ae67c2587bc17c7fb63a93ac473bdcef8f72d34
SHA512 3a60002dc6a9008cac78bbc050fc36d1053bfbd21ecf4d0579b2780985d4e7a7aec94483d8b0b8dd7a899b8435d54a27bba68917a23945431183eda021722697

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\fr.pak

MD5 59e1e573153a209c56ae3bcb390b898f
SHA1 45f8a5469651c032c453b14bd68c85cdd6c75fc2
SHA256 976622fb851378f57f81423e5625e40d0753d7a5e34caed2c39e4b130a3427b8
SHA512 91f1b88ffb9f3362fbab7d607a68c4ca65e6b89fef7de0c986067ef7fd013c0ce35bce328ff3546cb7aafc296993e46a908ac506bb6a141088cfbc5ead948ba4

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\fa.pak

MD5 e2bee9eeeac231de237100fae0aa77c7
SHA1 5e5eeb59656e2f8f4f62bc618966d38cc06a385b
SHA256 7a856070430e3cfad15b96b153b1cb483cca9a1b9a43453df3707b09c748a3f2
SHA512 5593c4a48e679f0f6283c3bca69838f581b6f928cc7170737778458393b6b85fab0e6ca390bc5da840f4b79de9e638015bf341c1a95e8f99770886f5354ecff6

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\et.pak

MD5 e7ea23d6304d5d600d884f4e3b3cb2d7
SHA1 99fbef7eb1bde7df398cce9faf6c7c357769334a
SHA256 292eb18ec61502b0e952b447f73a66143c56dd95f170981945e5aab53a6b32b3
SHA512 23dfa1161d11faf440241b1f48f2ddbc8ec086a8e18da351734656551f0f54fe4c94b490c0d3ecc378a3de7f7713a1626a7a6c21da2500b9597b44fd08197d50

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\es.pak

MD5 d584992a0670c5771147c01266d17362
SHA1 d6e70e43585564d520e4b1777fac0b1e7bc6ed37
SHA256 f6a01c26bc18dcf701e1d4b6ff76602f14c4bb9adf9dd176c9107d5aedb4503f
SHA512 39db436a05955a3ad3b54ace4f2f0e8a313797d3ae8eda9cf1cab6f2ea1edba0a82c30f3b589b8c5399ed06e9fcf4ce9059d3d5a07472f05ab1f0819e42d5b73

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\es-419.pak

MD5 088de6d12071ea5cf8d4a618ed45e7d5
SHA1 f12a76d18b84b17906f5f8cfc78cbb370b026b09
SHA256 d1019c780e836e0c30fe01928d23ecdd0ca04ed8ee886adb3428e3683e4ed6ea
SHA512 8da7326cf99cce53d7ccbec0c177ff9cf6dc0009431d6c89b3e8f0475bbcd0dac4c888460b535c1070ced62f1bf1c614bb0fbe9c5583e66c42f30d6e025ed7d6

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\en-GB.pak

MD5 a1aa885be976f3c27a413389ea88f05f
SHA1 4c7940540d81bee00e68883f0e141c1473020297
SHA256 4e4d71f24f5eea6892b961fcda014fc74914c1340366f9c62f0535e9b94ae846
SHA512 8b6d67e09fbe7a2152a71532a82c1e301d56cdde34b83a9f17d9f471e258b255d5b2d4a0c39f38581da3a31cec24fb403156a8e493560d7206e1ec3db7e68b72

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\fil.pak

MD5 cbb431da002cc8b3be6e9fe546cd9543
SHA1 19fbf2715098fc9f8faba1ac3b805e6680bbcca4
SHA256 ab107369d45e105a4cb4f2f6bc8da2a8c1b6c65d5e94a7ab3e703e619c083dae
SHA512 3cabbfd021e5814587dad266c4f5c9f624e9d9278f22658dafd65ff2ad2bdc5f6df8a8672614b296cea826819211e12f8e77f183007c0a79075e2f0980b99911

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\hi.pak

MD5 18bdd1d8d1d5c6a5fb2678abaa1ef6a9
SHA1 e40602e86e758a518ec70bb6a9cfa23107955301
SHA256 1f49622ec6682c90e03fc42c319074565cf9d3532a2a4e3798e2f6cc159b2e8a
SHA512 c859118e7c1be0642ba9bb1112a98a8fa7114a00711f578971a55aab7254b1ee9bb3899c852b79a002596f29e02f487267aca7033e38cbfd14c90b2989b9595e

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\hu.pak

MD5 0b62fc2b60b8a92dc506550339766139
SHA1 abf0b1ae99ae40d87f86ee04bdba467674fc1039
SHA256 6ca150d0fc35492bafb411bbc520f3b34da6399969fa9685ae74201623882560
SHA512 aab6058e2f41282ac5a9394cdcd503efdeb6b9eb8b9a64cc1215e31a806e60a34966b6823f91a97bfb81656d91ccfef3a226165811e6f4208fa436e1d04c1242

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\hr.pak

MD5 d80178f9df2b72a24a7dc58b5aa13229
SHA1 cda864bbfc6935cb4e3e30a6eaeabbab5264d01d
SHA256 e442d083c32d752d1ef2225d84a4f1a91efab768e86fc63a7ed22c10fbf7e520
SHA512 c08380fc0c415a529a035e6e9c0eebc719766c656a3d9e3a782f21b4fef320688e1d11de8c3a5d0e59a102c9fbadcc960478a17c534500e137f4cb0e697ec9b9

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\nb.pak

MD5 bf9bfdfab1479bb52254329d7aa229ff
SHA1 cd9ff35321731b839ea6e5f31f5de0bfb475666b
SHA256 96747543d9b2dbfb4482d4c24d7818d366545b2476633ad4fec8cc958ab760d3
SHA512 ba8e62d0a87c532ff46f2129724dd2f1bfdebd99c2606e0b9608cd07841776faeca15d04ec6241020c232d4c07809d718f40cf4ad9231d6a8996d55973486629

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ms.pak

MD5 d22cfc1b78320157685839f14253fa1d
SHA1 0cfcb5c176d708e26bbca2427be611ce6609eb93
SHA256 c7b56e9ca2f75b4414c13144ff4deee1459c2a7cde79730d863ab234cd4c2f8b
SHA512 2eed40c50a63e362dfe2f172d16e4545f5b19c673e71db674bb004e4e6a4cf793ed4a44ee80d86b05aaa6cc4356c207476afdedc2b35017421ea9b9fa6ebc81d

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\mr.pak

MD5 f26bc5673e02a93212220d71cf1bbac2
SHA1 8d0ab40fc2b35b75f99538951acfbf6a348c73a3
SHA256 0877f2e75e0b9f5e709f0a0bf7cc793a02ff5bbb28bd6a8b6b6012760c1bbff3
SHA512 9f3a629dfa116cd92892d120f0fdecc5f57043dad232311bdc8c218ae9317f49e655b8b8dc8399639231f2321013190a667d22b6b2735bbcbc375c438dce9aaf

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ml.pak

MD5 b690b0f01954735e1bcea9c2fb2ac4e4
SHA1 8d98860e202b15a712822322058e80a06c471bb8
SHA256 83d187cd70048f4129fa65ba148c74a04a47ee1f14218e7c85b36fe83e87b5e3
SHA512 786f08019a0917d0b3f29aa2d1885db6a6f995990fd8faaf41a9630f8347b4d210a844cc6690a41b4af37d60e11f41fd2675df1a01bab5915e20cd9bc69b4541

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\lv.pak

MD5 393c296fabe0c4c64a7d6b576d7d2cf7
SHA1 16c0605e5829cde9738e1cd3344a59b74fa1f819
SHA256 91642c04de64f88a5c49b4eeaf5d627554e60d56fc40e7cd58cd2601b0d3dbf2
SHA512 067cccb059d4526c104880a26ebf04c7e2498c49c5641abdc91785e859bc0be1475ec58cae9ad1eb076f26fb9215ac246155e123baa13c06a05e4f22a002c2ad

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\lt.pak

MD5 edb2c872a4fec5367cbe68035ef0ecc7
SHA1 b4d42bcc83c98dda1ea2ef962d097f6fb3d25c71
SHA256 1bd385b780f3d13d41f8cf782a322e37be889aee273ffde3d8959e0ebcaabd0b
SHA512 dd801a1aac2242e3f532e968b4c9639a2c8bf3eccc17470d9aa8bd6730ae4be3e7276fb782c7908bb6f87d3ade20a40c644b9db5d2201d96d91fd95ebdf429c9

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ko.pak

MD5 cd2310448ba6689cc73d0b2e6dd2791f
SHA1 7827179d3fb98a5abc2ad38e20d942b83b397235
SHA256 cba6b7633cce796407821264e176a6266f80c1799ade16bf16893d68144236c6
SHA512 c3069bab640ae43856330bb8b3a0e0a4ca058a68a0fc03b8efc0ce1dc2b517f11380fbc641221e29b4a527d685ece72107fb83cdb9b539390eaf6a30c21bf36d

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\kn.pak

MD5 59e6642f09ce97cfa4a4173413a1b036
SHA1 777a96a4aefbe138f26c8697e66633452285eb2c
SHA256 58d16195170f76e40e18ee0ac2e10e1b73bcfd083821158927a7d67a51bcbc42
SHA512 66deb67a4ce1914f5f27bb6423e5be62e05d0a36320accbe653572a437ce033ed5d26858a62d8c57476b34e1718d580f34ab44a3886d8d22d17f642d70f0138e

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ja.pak

MD5 dfd5ab27c326a1e1f87943a3079a2af2
SHA1 3aaa73a6668e1249e4d51c8fa8e0c6868fde9da6
SHA256 8260f4c9500b64d541386a8515fd0c9ddef82e3f044951b7b51a33ad81c1128f
SHA512 d701674fb6e19bcdf297b19a9fe3b81c7f446019a8c2fd3e90e19294765b1e8ad4f0e40e4bac65b2db313a4f83eb050b5871ee4d74f9ea372208b7abd76c524f

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\it.pak

MD5 e0e5580e8882f0eae4b5b21e6c7828d4
SHA1 51e32e51458b5839112ed9dcaf500403c45ac1cd
SHA256 a7f555e7e797e1de1a66cfca8c7b709b0e542ca62e7de96e034701fcef316d0c
SHA512 1a2a4948a5538158e6dab7ca7b3b780ec7a66a0aadb889fd451e07b32336ea08b88b5d57759e335fa967f3b4bb1282e952b97e496d798758159c70eed2e5acb2

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\id.pak

MD5 6a406a9adb5c25e35c6838828ef30c17
SHA1 2a1ea1dcb75217ace04254644845cd038df6a980
SHA256 af63384cf7d1d39e57decd823dff7538ab2b1e7e36e9ac61238477f7889d1d46
SHA512 ac7afa288b768a730027db0780b0f7c9f42ef990e4e22751ef1dc85e4841579a6e252293fb04d61b0cb591ccaa5c74d37bbd380afa15308c80ea32070019a361

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\nl.pak

MD5 b525894276852be4ab42ab7044fa164f
SHA1 d3d035522265718def8125f5c4a1d3e74832dc2a
SHA256 c7a18764ca908ec7f66c48cae2be06fef95213d7a5580b45f9bacee474456167
SHA512 36b11f1df92df27b007fd640b589c6b7b30cd889bc297635bdaa40bfcb4332ff20911edfd23ce74c1c8963dd658f77bf4b9af50d3c281717f58eb23a598783bc

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\pl.pak

MD5 7b5d41611b92b24ec8b36b66feb11f9a
SHA1 3d6c36f404c29d59a24970585931860453f5c88a
SHA256 69e16e41f5fe7fa18557b938874f20cda6879f3cc616ead9a815c1381fe94158
SHA512 16ba52cc799132e4525d220ed595d3969d4cecf163ccea6b62fe2211003b0cc44090c4d384e9cc4e32800181b7f7e0810da5a0d2c908f4625ff8382cfa3c177e

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\pt-BR.pak

MD5 8dabbceb430a6bc190ee344541fa8e2b
SHA1 44c7da04bac8c9ee67c8d6a0eeb491cf7ffd2479
SHA256 6d54f87f6c8b5e01bd0da9a961236344e95e85c3dc55fc92a34542777d6f6275
SHA512 4d36d527f1769501d1fce208738028d5ba142716a6243798212d5a2403dc5c950dcb3399e571cf3a11b1f35d845a6ba6798c38074d0ed66c894b1c18ab800159

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\pt-PT.pak

MD5 4816d83e54beaa2f94c671d56361c04e
SHA1 5cae66c0b7079d778ac87ad48777afd85b172d2f
SHA256 a903ca2a8e52f987e23d040de7403b58d925a6c39668d3bc0822fb2aadd34cb1
SHA512 0d3a39e1205ce9366818cb51d38db035b80448dc1e2d2d6bbd7d5df693641582043b45b4a78bbf2334159616187dc85a51e623bb6878b1498d9bc7acd2a6ffab

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ro.pak

MD5 938e62fca60d7b54e9c54cdd1f745f06
SHA1 5a61a1ef3ae855ff436c5d7f45b6ec271a5228aa
SHA256 82e69f505222125ea62f8e90d8030d82a1bd49871192cb4274a8fd9d0e03d577
SHA512 d3f43881fc951c961cfb34babaa6eba2aa9175865dc07542dc529ab1c11d15703c03a7e8193c004b004d13f0a0672bccb2fcdd1cd88f32add159c337281d6d5f

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ru.pak

MD5 9ef6fd52dec5613f9e80204a84c7f2ba
SHA1 fbb8c9db815126fca3c62c810432a71b6965f2aa
SHA256 d0068b9ddf8a9e6a5b1186bd0e00ed9f09224ed56ba7e653e2d54158d938c6f2
SHA512 0fb442ef86f75ca2cf58a677bd25ffb7c420f98250fac7f5f25e2272d4e7dc505a5f3eb3665b62bec189496154b05a1462b6f17a0e9aeafc1517b71e2d813953

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\sk.pak

MD5 fd001b1b02597bbf16baf3f0baf3c6e4
SHA1 e4c703fc115e02833fe08caab1e62775b5812473
SHA256 f9cd222838721a618c23c8f6493bc9699c795c0063998f1a8d506b4b7a297cdc
SHA512 0ee991da6b8ba1bcc3cc27abc645af43bb93edddbf182496aafeeb401d71ae10716335ee0197f1987c21b3abb441aaac968b9a76e75ae77fcba4cc48847f5b1d

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\sl.pak

MD5 ff14d5f9484350396780bea7f3bc64ec
SHA1 de097f12b70b552824de69141d6ee1969275eca4
SHA256 b174c4c49654f7d65d223568c700bfaace74238447ae63171787236ce2aab00e
SHA512 011bcc3980d21e0900d1da334a28b72623b22b527a4fc3d96a8f78fb055dc87cd1433a63d8b4414a0a86cf2ded5833a395214910b17433a0545e04d1ce4875b8

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\sr.pak

MD5 5d70a218b7dcccab0406fa9239ef800b
SHA1 cd231758f84a0d56545d0a234a58757a18a58d0c
SHA256 a2bc6b064ff1f7b15707f61bd76ddd9d889bd982c4182e9e74272d39c6235c85
SHA512 ef6f71e0d9782b5ed6706d9226c1a7fb5a4323b8dc8de25737c7dcca87d04c16b545372127670de312079be993823f565de1aaaf5ad833bec5baa0856c19b0f3

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\sv.pak

MD5 a813b566c9e630910e6ca946defb7202
SHA1 2e25d2479715a572c096ce19b8dfd7a6da5339eb
SHA256 48a71912e4843b03358fede7176b2e57ced83d3a1344a92b989886374dbded62
SHA512 b348404135e147cef93c246c826107f9df170b294e9d0cbf576d2812d0ff3d2b7794ab5aba55cf729fcf7135a495d2ff591db62fa61e2998290ff02538a0e48c

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\te.pak

MD5 d262c33a8c2b4949dff36cc1980e5f05
SHA1 e1ad725c388c4a1a386b4ab6170601863c943c29
SHA256 09ab1ac2b69f868539d4f2e59dfea8c3c2f418a5455777e4c91d13c5ee55ab4c
SHA512 0202f6ac32878926422d542ea96b0bcf8b168f8ec6b928121c368711856fd5f4781a24b15851cdb5892246b355d0dd37504d4599b24e9fe8a723b8dfbfeed29b

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ta.pak

MD5 d50aa6815b63aff8c443622cb8bfd849
SHA1 fd247855e6e428109e7bf2e0018580cc6e0663c8
SHA256 6348cc2d385b9808fdf1b815914dbfb26f552da4d10f85b2613a5e6e9f95b8fa
SHA512 620e2f9ab9998c68d667e32ad9bbfa2569f7a60fbc2a67d7492c6c215af2a1037708e38b4ed7932074d29a140581fe0ffedddb362133a941966044b98eaa50db

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\sw.pak

MD5 9808a9df2da0844b1ce1a2a4213c48d0
SHA1 541f24f006ddb3361ff1e5015f097ab799120fc4
SHA256 1949953d638f266ce74d84c020174c074780166b880e7c2ec38bc6047bbb8ecc
SHA512 66b256e02ce11ea0273cc5bfa78e56faf8b250208d1e868bf4af77cbefd1c891708573d63873a5d02436f884544a6550176afcd3a8220cd35d64b88987e94404

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\tr.pak

MD5 193f0c0a8218f05657e2590ea4ee6004
SHA1 dd3ffd7f67f72de879903a231271c20aee56f695
SHA256 676d46d19d1673eeff4f5e908aec3b53a6273c440e69e7d655ced6c70531cb9a
SHA512 28606d710d44c9a82c2849fa5ef989bac1afab53cdea99a825f80aa41dbd38a9ad6f0f44935f45439922ca2bdddc89c61f8ffcb999aa13fa45558551d5216e1d

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\th.pak

MD5 a4d1594635d26330ace7054bc025b76d
SHA1 bc4874a6a3b1d1886f05858ef2f653ab3520451c
SHA256 f06a45f0395c3e42e42c46de2c19a2a104661b47be6f9ee97f8c68b05706ef1e
SHA512 731485b139ba0ed80dac5e582ec36f53a805a867ad33551741b805e851a9d2356fb1894232395d4fdb200defc988bcf6d51e58834b542c398c1012e389953a3d

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\uk.pak

MD5 83e5f0092b6d72403b60fe0e1e228331
SHA1 989ed480b7ef55dfc9ccfbef1a5b9b0e104693d8
SHA256 29d68d90512ee9952635c7e074d5ab210531d93ae24c11a8f91bca20b685e9a2
SHA512 9895928ee516db7d4395b2788135a814031b9ba45e3a837e633bc253b08d6f380e4078d4d3fd51ae37502a39ff45a0166969fb62365e890f4960a51040b20941

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\vi.pak

MD5 e088be14dded779f50feabc4906d5ae7
SHA1 0eeca2c7ea82a03b6373c84adf1a890f29e18b05
SHA256 25aeee59775ae38b21a091107022312fc228f96dbea906042bf3626b7cf86b98
SHA512 af9d1e415a6d06c28df9abaae1f337bf4dd3e323dfd5560df5fb35d01c6801b9145072ee85ab4c524c489fb6cdea956ce327b8c4f6820197d76fc2f33171ca3d

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\ur.pak

MD5 29403f3d5c8f6ae2a768de2fbe8b368e
SHA1 da83015565980ea1a24f5493be6311f06427269e
SHA256 2520ba8471c840aa075075524c4ad2bde10f43fa7a1b623aa14555180ecd30ef
SHA512 a0709280adec39633ca19daf9f8bac6c17a999101246778a63cd9e172dbea2f281b20ce197290c4af6c7601ee7956da42f17e31461a1bd8b8a4bce3c36dc87b7

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\zh-CN.pak

MD5 d1145f2dcb13c5ba797df5a0792553c8
SHA1 e8d9604300d6413fc896d252a0261be2dfdebfbd
SHA256 6a9a1f5b7674da36f20cb76af7e3e75e9e56873539e8a3b32895ebba439af83a
SHA512 f54adffc7d40866fd53dbb238687116d46354f79580877b5d4d93840494e604deaeaeb7e825f6a00d020f3c58d1fb9df8af667feb64c86f243ecab57765623e9

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\locales\zh-TW.pak

MD5 1eb532e97b84db33a50055bbd7d36200
SHA1 7aaf0560a16a9754059871a000d237964f3ab0c8
SHA256 6a43c8fac5a0ce7c7a21b30ac7bc2167488e17c81c76c00f0b92b49e9e46e469
SHA512 c946d82bd6ced6e61b35acaf7ace1a61f226c4891caaeeeec9ce4a3ab45e6f43c35dbb388d6d5fa925ed020d7d10f951fa2048269d0585ad3b723f5ad8f4eabc

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app-update.yml

MD5 5ab26d764b9e538c30e528ca22d50cf5
SHA1 b39c4fedef9093ff3d5b0c5cc9c54346ac443fc4
SHA256 5058dc7a797049675e6280cc40f52a6db6c2a75f2db17cf77d20266779a8baee
SHA512 91f5ec99608214e6080e0f22683f2055847ff4d34546af432ea67fcfe2286c67d9c0aef3e75d224bafbbfe0ed9598b7b836cb5802e571aa3481f1be1e1a90430

C:\Users\Admin\AppData\Local\Programs\meet-app\resources\app.asar

MD5 724b63c8db1251fda40113e186f29ed1
SHA1 747796abacf4086ba8019a014102cb32ab016932
SHA256 e6e9873810e22450ca1cc4f537c8196f142e58c5389b23d1fbaf0f3380d0d587
SHA512 6dff8c8d394849dd8fe6102a3f080819c77d100784600fa14d5dccfdfbb6165b362147419bfe2befdb190f4e100e4567138b9fea976899d99d6e7c837fff705f

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net8.0.js

MD5 db807a4f6ffd4bee1327dc55e7040d8e
SHA1 76f48029171e04246f7faaeca099574e894de189
SHA256 26d7611e2788fbe809a0fa558d9e35e9a1c352c3610187f4d4a28229f89d223a
SHA512 15be60c794ae4f2770407ad262c8dd262fee6fcf1d04bef5341935ab8642517fe029b9ba2078c43c029a15e740b62a935ae9646b18055c9f4712a9b88af6f3c5

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net6.0.js

MD5 fd765ceb847132807f77234d17eed978
SHA1 89afd27c4daacf742502f24a1a4118c7001c1cc9
SHA256 9f776b65df9efb026b62fd7a0376eed5cb040052c9ec59c37f00c11bce34b92b
SHA512 12a73ef95218a3957507c01dfe00bea7b025eea8a83865fab4f49e5bd5c9774292adf06eec94963b3f747d02679106f86f00e1aa3c564d8aca65ad4913be166e

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

MD5 de4225474d84af0d82b1f4f7393669d7
SHA1 0e66a9dd4192b6612ee8fffe38a01b06c07f5d7a
SHA256 ef2c3b85dedd9a829cb5b76add8ac018ce36d920353046c92da609a50769903d
SHA512 494f0d38dd6bf36f5a8a8df0331a0d22331339aa3b963483699b8e9fa0763ea8c9bbd801bd13e66e8acf7ff522dc4bb6971b6da0a6a6f02d220e01e40204fec2

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

MD5 fc0f66ec13242bb0928b3a211b6eb250
SHA1 c64be5bf3d40bd651e03bacf499179c592a7fe02
SHA256 2f0fddde06ebe3f580f66409e9d4ebea2e2c346f787edf4ab3ca155de85dbee6
SHA512 63e7796cdf2399e084a1fad64db6172e3a688d39745ac1a68a424d3a9aa59ffddb71c6528233ecf164b1ced44f1cd517ff02202e5f594075bb51c64314a3258b

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

MD5 0791fe349ff54274763506f178aa5348
SHA1 47ab28896bc945c39c069daabc520c137529e944
SHA256 29ee7b009c099ff841a39cd6e2d28f7ae98bb673a8eab04c6ca08b905d6f9a66
SHA512 415e264233062d1bbb1ca8621dee6b50edef4d132924094bea28b5d14a3d3290e6b679c47e730425f8de192ce2d60b52d8f191d17dc8a4ab41d7f336e5713a9f

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\package.json

MD5 3f666835293815069426787fc62541aa
SHA1 ad98724168ee05164b7320656b0995dae0484495
SHA256 b5ac026cd1c999fbe4d28ee0e780bb5064844b8d68c1860dfc31d296d3584d2c
SHA512 435466773cdb9cd1d9d5cf3174386e2b1718e7daf48663b2f5b7f386657d65db532b863a95f31902f6f616dccbf344a2e614eb96f62be5a63aac5ddd620d4b70

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\linux-x64\Microsoft.JavaScript.NodeApi.node

MD5 6f16e6388b2f45613020b18b0b3c9895
SHA1 aa66419ac26540254a29db3281c84c734827f999
SHA256 d76975fde2a7daff7c30d23328ecca54e6aebf8f35a68a0a6be4a0e74c432a37
SHA512 daebe33c54650e98c05bb95ef48851fa3b49dde63def938671181017881a31f305a8971e12cb442b0b2ef8fdebb4b6a0c1b1275e16d04150e8f993ef73c8d3d7

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll

MD5 c51674c3fb7638792162f81cf3e3de65
SHA1 e2c48be8a9ddb3bd03307cf31b1e8315768ed003
SHA256 5a31c693e40cfb72488f97fab198ef150e16a78a52ce50204cc7888f0ac206b9
SHA512 95927f4bd44e6a08bc7f5bf3b1dac8890cca1b3ea5127db9af520a9e9b984c678621a6c89bd3702d910dc7878a0e59e24798357a1b5dff2e74afe56f3e0d74be

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.runtimeconfig.json

MD5 28fd63c95474cd2a3b0b33e35dcbcb0a
SHA1 9e12936c6fbb8c81759dac2ac1513be9d5354c96
SHA256 7d8e2fb2f6395df8ed535609192f9acca4586a45edb3dc20bb9078b7317ba96d
SHA512 91f5b4d91455ae08158fe6bd9d43cce3e03011f57cc9673f4a999942cf899dec4f3d5b629ac0baba7e911f347d71f671da78563d307749f94cb845034d2e1197

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\System.Memory.dll

MD5 f09441a1ee47fb3e6571a3a448e05baf
SHA1 3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256 bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA512 0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.dll

MD5 c198d70bbf923f7b5a929ad7c78ebcbf
SHA1 c0d86d242233ddd8efa13386359c4cc50e25fe6d
SHA256 afc0c7bbb22589c397b161b19b97cd0abec6065151f28c661d451ba38605ae64
SHA512 6f5cd60789c902a217af21329bd8372ed9f0504c806b7a882b91ac3def67a24ae8cdcbf0ca8efa72a0e433e893729f7cafa54b16f13b93662ea745f1f666ff93

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\System.Runtime.CompilerServices.Unsafe.dll

MD5 da04a75ddc22118ed24e0b53e474805a
SHA1 2d68c648a6a6371b6046e6c3af09128230e0ad32
SHA256 66409f670315afe8610f17a4d3a1ee52d72b6a46c544cec97544e8385f90ad74
SHA512 26af01ca25e921465f477a0e1499edc9e0ac26c23908e5e9b97d3afd60f3308bfbf2c8ca89ea21878454cd88a1cddd2f2f0172a6e1e87ef33c56cd7a8d16e9c8

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.Bcl.AsyncInterfaces.dll

MD5 970b6e6478ae3ab699f277d77de0cd19
SHA1 5475cb28998d419b4714343ffa9511ff46322ac2
SHA256 5dc372a10f345b1f00ec6a8fa1a2ce569f7e5d63e4f1f8631be367e46bfa34f4
SHA512 f3ad2088c5d3fcb770c6d8212650eed95507e107a34f9468ca9db99defd8838443a95e0b59a5a6cb65a18ebbc529110c5348513a321b44223f537096c6d7d6e0

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net6.0\Microsoft.JavaScript.NodeApi.runtimeconfig.json

MD5 3ec363c040ffe24a45580933ed751180
SHA1 20ea940cbf6c72490e78f06d828d6ba72a9e3c6a
SHA256 2ab9aa68f61132fcf1ca51e62aa96b73df1e786a6c1aa3a42a8bb837d72e5757
SHA512 46b74010a0a8cf26d915a484d0969e7da9e4a5c88c0b1273aa0a318f8216fa07bb60bb14b9e674078257ba39339d9fb595d10dc7a1aa1d63d3cc95cb589eff3b

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net6.0\Microsoft.JavaScript.NodeApi.DotNetHost.dll

MD5 37952be66829f3fd9ec27d988cf34237
SHA1 a22698610ce9c7af712d1d981525606c02e49129
SHA256 b12124a7f06584adf8313542d7280f852008f1a339a29bbbb44df802159fb022
SHA512 bf54bebc5e89412295064589c45971560569e440a689301266f372d10602d07028a46b6ea85c80ec9ddff7b54cf9c62d0cca871da7f0c6e6549ddae6bd14a8e5

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net6.0\Microsoft.JavaScript.NodeApi.dll

MD5 5f30e2d43fef3f2a046ef0da262fa38d
SHA1 fd90efd86834fe2a15554e42a367467e6b5f69ce
SHA256 6c1d4f8da8624d573ed1b4336384d26e1e7b10d66df031f2b6d58f2a83dd7f9f
SHA512 d21af414f331aba8e978046f724c4128901c08cfb06416a62849c37fc39e4696f1a28f835a397db07b241eacfd5113155d4390bfc7daf3ff8ebf4898e848113c

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net8.0\Microsoft.JavaScript.NodeApi.dll

MD5 1c45f25f9aa22d8afd96764bc8986cf1
SHA1 9824b9b9d2307ee6842230f8a3e0247c13778260
SHA256 9812e5c3d7073dcce9518ba81956da372f21ff02876ac3499612a384c9ca355c
SHA512 ea5bedae2e4d4a9578a8eeb125f2b839ae3e4f82d7549b18d8fd30eabe0f6c7b165586c459abc2b18f14281f67df1beae9aa9cf2c8e1fff71d18e9ddc16e753f

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net8.0\Microsoft.JavaScript.NodeApi.DotNetHost.dll

MD5 5ec3e462c142fd322c0033dfc7f9333a
SHA1 fa22dd83de56742fff31bc1ba10d10e730193a13
SHA256 149feff08be265b482eaf130d3ecf95da03409be04bebfc16573685f83d593e3
SHA512 9bcd8d33be764b5df7b9c007199ea7c624c21d95deed017766fcc00146329c1dfe635af2d992cbc86724b0f6fb860add1f105f7cd34cb31f2462c98b12e28555

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\osx-arm64\Microsoft.JavaScript.NodeApi.node

MD5 6ef89d81391a29ca0e2f43c41da76a6c
SHA1 83f75cd9d4d057a95be33052769aed0868ae385a
SHA256 299ca3829d7ede84f7f27438a465dc3c259104b19a6214f6fe4676cc028aa5be
SHA512 7e9d804fde16d8b1a634a30f05335ef2d84d6cd8656c111b36c067effba1feb3266d10f14816f789e40cae199c264ed32d71a866c9ac17bd9ebd1eaf532c0ccc

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\net8.0\Microsoft.JavaScript.NodeApi.runtimeconfig.json

MD5 4a9c80319d4bc37747761a6941caab5a
SHA1 b03e6b98cd4fc2d59e263f1b58e2b6e0d24ff2d7
SHA256 166640598ac8dcc71749e636c34b6d81aa31dfc7651935192dc20f9130e8b4ef
SHA512 c37b5d989afa317c97a25f0c53117c8c0de707ec354fbeb0c95ddb12233bb127dbe89221d671bc53d5e124f4be3ba2190b8b2d179c7fc8546dd756facf5dd09f

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\osx-x64\Microsoft.JavaScript.NodeApi.node

MD5 b9c29340e3f69906e903008ab98477cc
SHA1 4a78ee9b21d159baab65699e980f8dd78e7630ee
SHA256 d6b228ebafc53bbb49f867b93dd3ec2e97162e63e3a1c1c022837b36dce5a78c
SHA512 bf44cb4a008810c58da35cb2ed24392c65a0ad16826a15961598dca924516066610ea4ae95f1df70ee5f43f08919af5243705e4c539d6790c77484fe88db8f51

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\win-arm64\Microsoft.JavaScript.NodeApi.node

MD5 c3afc3e7fbab281c93022d6ba690594b
SHA1 770c2d63f095eb4cafb3b3fe53873f34a2423028
SHA256 d7f245268ce2b31c966e882a5edd597caeb053a1be6ee9a9a9331e57601f74bf
SHA512 06f9370d876d8508e254aa7afcb37f3867215368fdc684484f9e703d9483933c8eade48c7774894fa5a8fa5fe33536c948bb4010ad6ef2596f87cbcc8a7471ab

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\node-api-dotnet\win-x64\Microsoft.JavaScript.NodeApi.node

MD5 acf00306c02f0d7c71fb1eccfb8c3a4f
SHA1 f2bc4c5f55b9afa2782d2ef56b7ec101ced8adbc
SHA256 ed4d5390432b5d5015b98ed7798b947c5e2d4d27553ae71f13fc081916dec160
SHA512 90a1b5f325235b80e246fb60819f5f74aa69e846206161970f4e810cc08f6982156e1c4eb2f225c26f6359ad2c215e4b9105e64e8b351e2ea266806c0166abde

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\resources\favicon.ico

MD5 b8f09fde0dd3c4866895dd12b2608699
SHA1 7c9bfec394ca804ea54544bc45438da6e5489bea
SHA256 fb2ca5afe1da5dd14c3098764fd6c9d184626eb2e83f61c2b56666ed5d9fc809
SHA512 67bc89c78142e098ff146ecd22435332556812a752cd9634f34d2e269a58589824668315f700013b0424c7b14855043de8598002f36f679685f256cff924db1c

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\7z-out\resources\app.asar.unpacked\resources\icon.png

MD5 a2cf889708d9c4959c6808b4584848e4
SHA1 9b95116c7bb7f367985ff873ca690713b3f68746
SHA256 4363016ccf3541c84ae6a1eee83f507fb2b775aa89b9d6c8163875640267f9e9
SHA512 2f388a8ca8b74338fc7af7ce4e817f2f7517cf49ce55bfa26a44ea73ec0cfbce189c259d577b2e5e66e3af465936df021359fee1bb2b10c95c58f0712e76f542

C:\Users\Admin\AppData\Local\Temp\nsw8A9D.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

\??\pipe\crashpad_4544_CEGEEKLBKTECKIDK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1504-1068-0x0000021FEE0F0000-0x0000021FEE112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gye11yu5.irq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

MD5 b36835f5b463de59dc721fc1cfa29db2
SHA1 669737df57038106dbe238eb759717d1478c38ab
SHA256 19bdee5e8686de03c4152478ac8e6e355635418bd227e002ad8e85af9ff035fa
SHA512 a40ab223fe6adc5dc3dd4f02eba1128900db51a2060444c692503a7b9f8fc5d63d67e1af4a79172bfc0473627e5ca389213b4cc9b520f5f9fb002a5395cd0338

C:\Users\Admin\Desktop\meetsee.lnk

MD5 5904e9de4683b21886b9aaa03f6d149d
SHA1 0976bbbc67c1bbff3f9f5a8b9ecfec510201eb7f
SHA256 10afbe50d06b37de80c1aa7cddc570cee2f4e95b06bce3d8d5dd87368ce1d85e
SHA512 0f8ed3935b53ad4fcec62f3174b158f6a9931d49141ddcabc32412e0596062c591c9f00d5364e8e4215922e33827a2d44af5fdd1a4fa0fa970f03620032f4fdc

C:\Users\Admin\AppData\Roaming\meet-app\Network\Network Persistent State

MD5 00e9fccfbc83657875bc6302ccd70893
SHA1 60da13a7e55715259bacad42d58ff4452b59f7ef
SHA256 79ef093e31393824aa1afe977c2c2095b67bbd6cc4fd62024c3a3239974c99a7
SHA512 3061e71ef8d2bdd9beff880c23b251ac9d007cdf55c9e6dfe50e0d950a6858d67ed3f0fed4b1daa4e928900c621e818745dfad6dad1bf9cec8b8139532ec6b49

C:\Users\Admin\AppData\Roaming\meet-app\Network\Network Persistent State~RFe58ec5f.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/1852-1201-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1203-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1202-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1213-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1212-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1211-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1210-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1209-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1208-0x00000166076D0000-0x00000166076D1000-memory.dmp

memory/1852-1207-0x00000166076D0000-0x00000166076D1000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4948 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4948 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

159s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccf8846f8,0x7ffccf884708,0x7ffccf884718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10109970634101760753,5522132580119192129,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 4.242.123.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

\??\pipe\LOCAL\crashpad_2472_TNDTIZUWUDRIAIDK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3f701543b645dcad24dd0b15289a2f51
SHA1 e645874de0133e9379c796c2ca5ee5b31b8f350f
SHA256 7dd9eb8140f3f223f5eebe008f3992d0a523961e6f2fe2b361604f2e8f26dbfd
SHA512 39238e999845775840727da578b7cea0e9207bf84dc781492c9582dc364e5deeacd3e5bf88e1537ccd0951ef505cf15e853a7fe5abb91c535ff5fed4429e2309

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 da66b26d3aec2f085da77814caec98ea
SHA1 bc9d733089c2479dd7ef2fe3d2420cf28e46e0a5
SHA256 c63c4b5c1bc29c13d1bb5b7126692545d3616a2f02f35fab6d8709bfc146aeef
SHA512 7373949743a5b1388ac18f79f9002451cc48e9ca13b46f6cf4e240a8cfc9dd51922c5277f9d0e7008eded88211213ea9c427de1e192eda58360692d1d109c6aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 af2ff276703e419cc9fdf8dfb4caa5ea
SHA1 c52ddca027f63e9bc3ec328a8d1085f174511a57
SHA256 b64d8b04bed555056adcf446a963fd64a383e97125eddc00b21516973cdd0dd6
SHA512 2752344cb822cec59e4ca775f1a4360a56f338475a76399c8a1d16b51401721d0f590dea49c95a6303dc5ebe977d53ad3ab48df441200c581b7316efcde11f29

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240903-en

Max time kernel

121s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240708-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 220

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240903-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\meetsee.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\meetsee.exe

"C:\Users\Admin\AppData\Local\Temp\meetsee.exe"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240903-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240903-en

Max time kernel

122s

Max time network

134s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240708-en

Max time kernel

118s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240708-en

Max time kernel

120s

Max time network

131s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3148 wrote to memory of 392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3148 wrote to memory of 392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20241010-en

Max time kernel

117s

Max time network

141s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01da0097328db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34B77CB1-9466-11EF-ACA4-66AD3A2062CD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000f6010e25c613750fff1d3caa9f1586e4bac77ba07378dfeec07396e62a0167b5000000000e80000000020000200000001e49ff2b59106577d59cdc32f18396937e8044a464353cd4c8cddaf3ffb1508490000000239f73d591d1f6d35cea3956e60abe714c7fc8d07211e0cb69fe95f48cf1bfda665a4d36be13cfee375b6a099ca4621f4b4253ee12ace22a5502649769e92b1c480d55017f80b2bb4b146f35f53eff2890a426548d5a49f286fc939dabaed9756f752e29956ed397dbcbe78714c92ae8a808baf95737f47cae079a1a1f5681a3089666645bad99eac0e1b5158d9ddd8040000000dbf4868abd7c511c86fec867e8bc2e3f28da58bba7b700fbf32ae8e9a7057bc9f428f792a83298731d01f5c24df67c2ea64e9a06ce33c26caca56514a1fe93b8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436197084" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000ae8f951c3a336cf67decf85c3ebebdc4c129d1deb034bdcd52536a09ff3b6ad6000000000e800000000200002000000091a05adc7987edfa35814f3b79b45cc6014d19f173683aa95f9faa4eac2837fa2000000033703fcfed1f7620f364441825ee7935c394128d173ee06c97a5420b052e63e840000000bc187d1f9aedf899f9dcb47bb4d5ebb397a6fcffeedbf0e26f76f676f054248bc9cf3a01c4292a7c63ebe78857f38f719ca6fdc2aae82b1a4283654419628a40 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab37F5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3817.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f9e8b2671dd23599cfcdb7a05d3e10d
SHA1 a672803abeda004d2e6501b76c906dcf9177cbd6
SHA256 24f137a6d4b3c7399b17e0d35a76b91f8d89656e49d2a054383c49d1fa90292b
SHA512 edb06015509177dbf1fc2152adcda741dce702cdc79b5e56d41ce71c07b159ef7193b8ee41dc1a15d1f9c411ef89229b6a672db9e0b3ae90bd17b795bea12e24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f10a5b26c3122d68bc43720d84f5b38
SHA1 1cab59effdda6d0428d3571f43068e9930798068
SHA256 6893dfe4ea64531828e6b2186102d167e7546f8acf63c5e834d1a13bb7c62564
SHA512 9e71b3013a908755ad1a4d090180bf1c901754b886a0443d322b104e6238bd4ffbcffede54cd0ea23b209d4563a27bb41699786083ef2a759a8b4ca756a642ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9cd9ed16e22b0b52a84160ba34e3f24
SHA1 3c6242bee1fd832df20a8dc2bc5acd6c5c1875f4
SHA256 d7de4810e3cc4e0dde35461c8c14d99b9a0856eac3c1d6ec5473fd57ec17ad2c
SHA512 2c2f33a95fd610b82aae405abb2d41e194fc155ebf21100586eab525e5c556e4d232d98ae821f2ccced8d3144fb1583691e2a814cf6fab3ec79ebf2405f9c1ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df8c61cbeb814d05c00ce81daf8fe77e
SHA1 d28b435429be2162b993bb385b964b8894b3dc08
SHA256 dcc1a1d46311d80a87231dcaa6c68e75edcf707b946f094beb83f83aa74efc2a
SHA512 53bf6c05b27d13fc6965c02a2e2b0e9ce8646c08b6a8d763d13ae9c6fdbfc21204255d2a4aa1060fea6f64b5e4bccd64cfe77ebc66e96094bb0d31fe8ecae8b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fa2c40e223d73a5b021de88c901b549
SHA1 ac6964fd6f19dab26c8ab5936f5c1da07ed3c1ea
SHA256 0f4471af6554c71cd87c46ed3090feae90d88688b1a8fcdf05b5769eb003a3ca
SHA512 9dbc2bd5f7ecb8a72952a1f64fb8858d7bda71c30cfcaab316c74bcad023cbd5b00364b5cb9bc318d90341be3e310fc129387cb37cecd6610fed8ba36dcc9de6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9531b7e1584583fac34a9929e6c5ca8f
SHA1 b568b54b226cdc692ebadd95aa835b5627917575
SHA256 a492b710d2e9785a6c4ce7cbb0be3bfcb406fc65e44f238f23edab16ceea7455
SHA512 d82f58d3050b85470b976e5b34913d10e9d435074a15fd15efdf373bedadb950ec665123f758588d6c4758bcc7a5ad4fa1601a34705446e9377a906cfee0b60c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b83adf63f91628228555ab691e08ab2
SHA1 b3f40eb59e564108e238c7879e782d008b905dac
SHA256 7972b85a2f855506ca4a417255cd0da067c2e12fff726844045b1df196b8246c
SHA512 17ab9d89af2265222c1ed5b59d9863c8687d3566e266ba01ac7e87bab46c6426c1e2c052d13fb0bbfa085c6aa5349f064c5ce5e51b5904be023330fc396def38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5835aabbac5fb5c31d51b659af3a460
SHA1 e756ad62f1a5cc11fb4f342b473062854bb80d7d
SHA256 2585b6d3b1f697919113c0d93ef4405ce6d5c471666cd3f444d62d1d57490959
SHA512 3f29c00c60edf1d13eeca08ee6288c752aefcdcc7c568c363189735730e642cf87a2ceb166cc49de36177b6046342f82d597c84f11eb09e6597a39b79a88ffb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f870a67b4b667f838e0da474526cbae
SHA1 d17b81c9670e103484e5e9b7db18ae318080ed4d
SHA256 976b7a7a7fb2a4f3ec374645ec94b37994af484ce1b0c6fb28138ed777fdd49d
SHA512 7aec211894c9014739e74fd2274b64005da302133d82b9de4f28471a4271cfebb56a4e26106944d6c47932cc54df4b428717ba3bbd9e0df2b230971ce94e8793

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e769423610c925085a9d89cbac0400f
SHA1 7989cbdd73bcf8114f16600bde1cd00ed6dc180d
SHA256 a757954ce3271fbead2978ba0076163c47fd96433ed8400bc4422ee1aef5b1b9
SHA512 7951b5d1965e241cd662caa938844701d0ea0ef1a22593a3c5eba6298b1ce1a4d98e74e3ce09e6805cd7e97779b52cf915fa7e0325cfe554e2960e6e4a5d276c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 851ee8aaf0f334dc408e214c8035dc0b
SHA1 8031a8ac1e052d7b0ed80be74d15a5df10913a38
SHA256 47ce0cc5c5d5fa7361c8ed7c26c9e53aaa68f45bb1385b86a009a94636886ad4
SHA512 afe28d183649672f10f56c16b3dbfe1cefcfffa55d750c372f58f488f6bd782cfa548589c3727dcb68dc59728bd8632ba858f0058dce3f52083ca9df6f5a9013

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3eb7cb95a513eb6fd6783ce86597b011
SHA1 b695595b22c9eabdee5e78cb77ae5edc6ebb6e38
SHA256 3e7c32f71be8dba753cbefb02eecd4e5195021ead9365235c1657f16c17d33bc
SHA512 8a1f24f87ae5f788d6a31fa476a3a1d09304889823af6a10881125b32fda2f7b79e6e545742116d952243a3fd42d616d1a6b4743a629f8b96cb7ce89c20a0d4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ca15ae218a1847e081b4595cc1fd71d
SHA1 b2a4019f2ed195b53140d8d0177df272aea06b74
SHA256 6da468aa24803e739161bfe91714ca4c48b075397248dab5e48c2d2dee36532d
SHA512 2b05614a4725154621413933a2c2befd56e5e443841eeff6ded06a0206e76aa9b62ed35b7ab9cd457d1c81ff8b4bc2756518df3d0c8ab025a268f5433daa45eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2beb1327da9fb2a48086b230ff2b62f
SHA1 60177ae276f7613cbedf8fc87af3ba42faeb77be
SHA256 47645a57bddbbb28d1731938a770d0ec49cf5e272ec07611ec347cceee872217
SHA512 8c20cdf5db968adc746e80a13a428657fdddfc4d5a7f2110a80966360b5fa2f46aefb62288ff01aea651ed7df4f0519500ae21da20a40372eda64aaecf29d6f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baae904fcb51f324b2e15c591fad2c18
SHA1 72da65d7222672846aa600b3b96db6d9fd6392f2
SHA256 c314f72afa98f7b36b750b14637ab1bb08f235eee98a135881a4fd4e2fa37031
SHA512 db98e8592fd9834dbb7a8616c7ec95aaac36933c864b5030fd1a244a4ac1ec0bb1214857248860153ebb041755a0c4199394ff131c9666401630678818ac4886

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240903-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2436 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2436 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2436 -s 88

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\meetsee.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateMC.exe C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateMC.exe C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UpdateMC.exe" C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Browser Information Discovery

discovery

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Users\Admin\AppData\Local\Temp\meetsee.exe
PID 5020 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 2136 wrote to memory of 4632 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2136 wrote to memory of 4632 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 5020 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 3736 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3736 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 5020 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 3608 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3608 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3036 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 3792 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 3792 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 5020 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\meetsee.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1444 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2808 wrote to memory of 3600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe
PID 2808 wrote to memory of 3600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe
PID 3600 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe C:\Windows\System32\Wbem\wmic.exe
PID 3600 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\meetsee.exe

"C:\Users\Admin\AppData\Local\Temp\meetsee.exe"

C:\Users\Admin\AppData\Local\Temp\meetsee.exe

C:\Users\Admin\AppData\Local\Temp\meetsee.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\meet-app /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\meet-app\Crashpad --url=https://f.a.k/e --annotation=_productName=meet-app --annotation=_version=3.7.482 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.3.3 --initial-client-data=0x50c,0x514,0x518,0x4f0,0x51c,0x7ff788a84688,0x7ff788a84694,0x7ff788a846a0

C:\Users\Admin\AppData\Local\Temp\meetsee.exe

"C:\Users\Admin\AppData\Local\Temp\meetsee.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1812 --field-trial-handle=1820,i,17867042100973498449,480296898689884537,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Temp\meetsee.exe

"C:\Users\Admin\AppData\Local\Temp\meetsee.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2028 --field-trial-handle=1820,i,17867042100973498449,480296898689884537,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\meetsee.exe

"C:\Users\Admin\AppData\Local\Temp\meetsee.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.meetsee --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2524 --field-trial-handle=1820,i,17867042100973498449,480296898689884537,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process "C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe" -Verb runAs -ErrorAction SilentlyContinue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process "C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe" -Verb runAs -ErrorAction SilentlyContinue

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe

"C:\Users\Admin\AppData\Local\Temp\temp03241242Lvkpkq\MicrosoftRuntimeComponentsX86.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\System32\Wbem\wmic.exe

"wmic" csproduct get UUID

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe' -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"

C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe

"C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe"

C:\Users\Admin\AppData\Local\Temp\meetsee.exe

"C:\Users\Admin\AppData\Local\Temp\meetsee.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1296 --field-trial-handle=1820,i,17867042100973498449,480296898689884537,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 deliverynetwork.observer udp
US 104.26.12.205:443 api.ipify.org tcp
DE 199.247.4.86:443 deliverynetwork.observer tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 86.4.247.199.in-addr.arpa udp
US 8.8.8.8:53 meetsee.gg udp
US 81.28.12.12:443 meetsee.gg tcp
US 81.28.12.12:443 meetsee.gg tcp
US 8.8.8.8:53 12.12.28.81.in-addr.arpa udp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 8.8.8.8:53 213.62.120.34.in-addr.arpa udp
US 104.26.12.205:443 api.ipify.org tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
DE 172.104.133.212:8080 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 o4506972866674688.ingest.us.sentry.io udp
US 34.120.195.249:443 o4506972866674688.ingest.us.sentry.io tcp
DE 199.247.4.86:443 deliverynetwork.observer tcp
US 8.8.8.8:53 212.133.104.172.in-addr.arpa udp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8885 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp

Files

\??\pipe\crashpad_5020_IARIBJHCLYSOQSNM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqc1wknb.yxo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2808-84-0x000001B65D990000-0x000001B65D9B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

MD5 b36835f5b463de59dc721fc1cfa29db2
SHA1 669737df57038106dbe238eb759717d1478c38ab
SHA256 19bdee5e8686de03c4152478ac8e6e355635418bd227e002ad8e85af9ff035fa
SHA512 a40ab223fe6adc5dc3dd4f02eba1128900db51a2060444c692503a7b9f8fc5d63d67e1af4a79172bfc0473627e5ca389213b4cc9b520f5f9fb002a5395cd0338

C:\Users\Admin\AppData\Roaming\meet-app\Network\Network Persistent State

MD5 7db55a7bd2b18e2c488bfd8e477ae317
SHA1 6edece4feaa9b065e45916ce3904a47510b1ea14
SHA256 f35b55d9dc9ab15cf8a1e4f211a655890f1f17773ff15447b7fab70a8e0fc74a
SHA512 3ea99b4d115f7fb320d50f9201acefa19f4dec0f27752e4a147200dc6ed630f8f4e85609dfcbb489485272243413ebd0af66581e12b5da4fd8d3615b8b16e70f

C:\Users\Admin\AppData\Roaming\meet-app\Network\Network Persistent State~RFe58cb3a.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/404-217-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-218-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-219-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-229-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-228-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-227-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-226-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-225-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-224-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

memory/404-223-0x000001C3F6FB0000-0x000001C3F6FB1000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-27 13:18

Reported

2024-10-27 13:22

Platform

win7-20240903-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.Bcl.AsyncInterfaces.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.Bcl.AsyncInterfaces.dll,#1

Network

N/A

Files

N/A