Malware Analysis Report

2024-12-07 16:14

Sample ID 241113-nlkr2szqaz
Target roarkaot Setup 1.0.0.exe.a
SHA256 cdffceb70876f6dea25c9c0c64798922d6afce1a9425e71bb0388e604a5f69aa
Tags
discovery execution collection
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cdffceb70876f6dea25c9c0c64798922d6afce1a9425e71bb0388e604a5f69aa

Threat Level: Shows suspicious behavior

The file roarkaot Setup 1.0.0.exe.a was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery execution collection

Loads dropped DLL

Clipboard Data

Executes dropped EXE

Checks installed software on the system

Enumerates processes with tasklist

Enumerates physical storage devices

Browser Information Discovery

Command and Scripting Interpreter: JavaScript

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 11:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

34s

Max time network

38s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4628 wrote to memory of 3104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4628 wrote to memory of 3104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4628 wrote to memory of 3104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3104 -ip 3104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

72s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 3428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5008 wrote to memory of 4024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9639546f8,0x7ff963954708,0x7ff963954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

\??\pipe\LOCAL\crashpad_5008_DJZSBJYGAODHQVNP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0916ebc5b21bee0363dc2e794d84216e
SHA1 8212b6f1baadc087d59c55920af70686ffcf9716
SHA256 a982c1f38fe86670fe7a61ad3f2e2a276f851b8f3aaa4ee03845b92c62e520c5
SHA512 5cba9207aac733fc5117dc71813c8a47103ba545ba5fb4d3120c37a049ef340ecf5be418a84768c8177c5581d9b520b39720150585cee07ebc1dcab2b2f08be6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\093585f9-b960-4bbd-950c-3af4014db21b.tmp

MD5 fe2c16773a626f874171692f8d7e4254
SHA1 9aefb475efdec878fdff7f54a10a7761192cad73
SHA256 01bb19dd6276b969dc586396187e0b04c87e96645c489148d40c8aa7f96313f3
SHA512 20c9dfcd934332c8d5370d5aa07e12b9a4c50f0a60cc7d9c0bb1d505349726bfb09738c0e632267952bd2cb5060bde19273ba65fdd6996e486289ec5f27de9e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 50371c0d8a0223f3f4412ffc527cc296
SHA1 5e89d65016ab4d0c6a7551d64c141ed2d54e3831
SHA256 8a5a5fde86cab5e381dc2936478765b79de576023830184cc1152067e84d00cb
SHA512 60d6248bdf82d5d8e04a10860773bd35aaabd602f2c50fa802e88175f9fcf83f8d725cceee398d2d92cd4990b1c9ad5dea499eb6ac0f48d531ab1625a375b79f

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240903-en

Max time kernel

9s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

debian9-mipsbe-20240611-en

Max time kernel

0s

Command Line

[/tmp/sqlite-autoconf-3410100/Makefile.fallback]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3410100/Makefile.fallback

[/tmp/sqlite-autoconf-3410100/Makefile.fallback]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240729-en

Max time kernel

14s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq roarkaot.exe" /FO csv | "C:\Windows\system32\find.exe" "roarkaot.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq roarkaot.exe" /FO csv

C:\Windows\SysWOW64\find.exe

"C:\Windows\system32\find.exe" "roarkaot.exe"

C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe

"C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\chrome_100_percent.pak

MD5 3c72d78266a90ed10dc0b0da7fdc6790
SHA1 6690eb15b179c8790e13956527ebbf3d274eef9b
SHA256 14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7
SHA512 b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\chrome_200_percent.pak

MD5 3969308aae1dc1c2105bbd25901bcd01
SHA1 a32f3c8341944da75e3eed5ef30602a98ec75b48
SHA256 20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6
SHA512 f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\ffmpeg.dll

MD5 ebf0485fbf546b010c2b10c5c8e7d5ed
SHA1 a4a546f6be93bae535aa724ce2832f428cc91f89
SHA256 46a20d91861f6e966959635dd5f1adfd7f33449dd814a9aecf207b0cd53117ba
SHA512 9e6011c0269556376907850fddac8fdf50e132434da7daf4d87be83c1b89b7aef847b25b6216686915225a82374fac6ff987f22efc01d5b1c2cc81d53d7facc9

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\libEGL.dll

MD5 4c01b3614be1f38a6d594443a547c257
SHA1 7eaa456b164613577d0965ab5a57ba2b681a6ffa
SHA256 e36da1a4228899bebe50cc5da1fcbbc590cdcb3ddee0b2a19defd99a805b6ed4
SHA512 b72fc071dc791c63978465a68c9a4904d5f1c458d302bb710e83576f20ef928d73c487248a305bb455990c2d8a6b894ee47d88bca6bc92360f286849ae1a1257

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\icudtl.dat

MD5 ffd67c1e24cb35dc109a24024b1ba7ec
SHA1 99f545bc396878c7a53e98a79017d9531af7c1f5
SHA256 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512 e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\libGLESv2.dll

MD5 9bbeb7b27646442c8bc2d202a73516d5
SHA1 a7f7a52dc45bf130581953e07ce9b9851cbce90a
SHA256 2b80817443265e7979b9a77075492e8e29be3ba775d20f646cdda391efbab21c
SHA512 f9826e43f53bb9b906b5c62ff2502d4e8dc3ff99b72420cf313a5811061cb146651cba3b8f864f34dfcfd51c6e3b39a0a640719ef94d7696bdc4fab7e9d16785

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\LICENSES.chromium.html

MD5 f017c462d59fd22271a2c5e7f38327f9
SHA1 7e1bbeea6ac2599bd0f08877aa5811d32f1aceb9
SHA256 40f314c778851106918aae749d75b2d913984327602a1bfb7ef0cc6443ff2a37
SHA512 72177281486f6ec26ccc743b43481c31470c7dd53f17b0a67ac087dded190c2e3dde5570260150c2e9650186a515740af7f81e31965c95bb762340f9ac100c07

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources.pak

MD5 7398d5aee46689f03c278c8954f68f2b
SHA1 62e10057cfb2dc53c62d088d4fde3252d1216d86
SHA256 9590361aa74c43818881e622f2e3b7992c978397f7ac269f37accb435b134fc8
SHA512 1d6ae4cadd302fd683be66016cc4aa092bfe9689b81e1a764512327983f558a7ad9a10aadb7f8e13b73949d648d0e14ea0eb7c2de2420353a46e44c6b647c652

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\snapshot_blob.bin

MD5 0406a232eb55e516dc38b4967671846a
SHA1 aade7c03b1ecc81027c98a79285687bc19276fc5
SHA256 4f944691b7066ef5653cfbf6b016488f6e5f0afd2d6bc03b90de5485514f83f5
SHA512 c608095510f88348e1e412ef573e4aeb4a7d328dec2892bada688a06baa023fcea1cc0dfbba6f6c41de303f3b6d5e1c4335a2610f3ec47a690e4f309f8782359

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\v8_context_snapshot.bin

MD5 3eef488e8b9d35f710634c4d404c7e1a
SHA1 971c730ccfba2db0fee379683f4e310df5c9f1df
SHA256 3a189b50da4b31b5af6cdfdb6398fa039ccac9e13898e4851b27c4d91f4dff6c
SHA512 f787b7633edf75905674c467f7c291a2b3791a8475b11e1d4fb1769ebe872c6b70d778124c22a55b96efe2ac443c82750371421ac9fe8f2cc8bb47ce0e3648d6

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\vk_swiftshader.dll

MD5 abd993f23ed3c75fb80320a10451dd66
SHA1 95b13400418512870a37a4e59ecc7dd9c467df2b
SHA256 52c64e3bd5f852f7c2628bca773bb5a270ad40f5e31bcf8429323cb9fd1bd4da
SHA512 fe98cabf2e3500d52b09f9869f3ceab6c7ed8fefb7fba56eb62a5319053ea997881112abf139f2e642210eb4b61d5a726b8dc41d4565b81faaeb5d64a00e6267

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\vulkan-1.dll

MD5 0b95f0a5905c4075a3fbef0ddb71e915
SHA1 72a4536da15d5d9e1617331d8e4a5c5a579c75b3
SHA256 03b808d8045ebefebf2e2847be039358f7ec1db63e1c601847b8cd304c3db448
SHA512 9e57eeaafdaf0b5516822d1ca7ef1995442a03677f856828d49ccc01ab8492245d8659eec7675822fc8610ba250e49a6f3c8569aad2a324cec83e0d6b5201187

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\bg.pak

MD5 e1322b5cdbb96d2cf4a5fa5993c2acc6
SHA1 e813a5685b1885c2788c4826a8f8659493febbf5
SHA256 39707fb80e38e9404accac5f12ff1f3745589bd80b1586e2208b27c0c8eafcc2
SHA512 2c6e766d671bc4ac772196e40b818039fc88f02eeaa59f78c78558e5e2670c1fb7fed9391684160c0af5a92acf8991533b298b5aabc3919c706f23f094f2ac15

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ar.pak

MD5 513e6bea67200feef37fb2e8c7fcec36
SHA1 b0edbb5846b8ddfd95ad74905e890892192279d3
SHA256 00a9c88b644807369637ddb78d9832d7137b5f1c64ca9720a36bfccea8c38d98
SHA512 fbc184640fc419b50f6b1a78168a9efb63f8ac4c151baed17b5e9b9d333a360dce109351654ebf1c71c97471917c922456cf9c816118c6c781efdee14d8360fb

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\am.pak

MD5 1c47cbc228940f5c645f2fd77602253e
SHA1 474a5006ae9ae774b5d420c2f1fb0d0f2ff36afb
SHA256 5245154c986ca89ef53a24a4246345e3db01ebe47219f1d0772935b03e81e37b
SHA512 dd4e7c1e26759001ab1ef63f93e847e2908c78d943c7546c88e1988d96a6625f9de9e0ab8b38af4c7b07202e1a5488023cc3429075de6c9b9394307c88442673

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\af.pak

MD5 09455048c30cecbb17d6e0e95e4c01da
SHA1 6572850b07df45933ed57754f72c44895a7ef662
SHA256 e973763dcc0ffd7a5afe0a62ec9651c4c3db7fe29a23797fafc34b83512d03aa
SHA512 f59b68c213815ad81379c964abe6597b900b9fac5fe17e2cb378d015c4803f96b598ef70333d594599b3283a88a9ca9cb2475afc2590eda2ddf7b041ba2368e3

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\bn.pak

MD5 880e325d5643051ad7e29c2280fab954
SHA1 cc46cff349031f9036cafafd3c091d1a5ab93f2f
SHA256 2fbcb9524eba04637e3f6c2874f7fce917326ba90877e1715eae4b35f141dd3d
SHA512 d16d085bd51ad267738c649f6bbfb15b8ce5ac73b838cfb7e2ab0f4c135317c358b83a7b5d3506c492f75b97edb8d1eeee9733d12c9eca1bc51012d660b9e912

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ca.pak

MD5 84b1e5be23e838708773d4e022f99986
SHA1 53e411d571605a0a86a1040bff32a5e951ce9ee8
SHA256 faff0931e9479b76d2b6247739d4f934023a64bbe8578be08e2dd0eb053231f6
SHA512 8afc396b859fbd0c03d1b7604f5cd80d41fd8e3df52ab88ba22a31a6a0df447671377f2ad0f6797682da6aa32d7c779defa1097ee140af207adc94575957fca8

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\cs.pak

MD5 709ed2e9426081c9e86d9abdc74b44a3
SHA1 f55fc17c8b9bc5f09a539ecb8b995c1b43fc4d25
SHA256 6597d0dadf724999741e0f24953ce9be02c8b98ecb8a382115b205edde87c160
SHA512 992ba983cb8b24bf0ff190715c5845f34b13f17227486350fc736c872ac8f0b21347f5f6d13e2e204e928ec664e283ca65b65f72d9910725f55d737b6c5fda40

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\da.pak

MD5 96bbef1eee0b0a197ec834839c00e11c
SHA1 35adba0aafbb4d19015e11dde1f37de87292252d
SHA256 600e02877374dc083b21deb3cc3bf6a4e3e2b2c581a631955494b0591c56289c
SHA512 e1ae7ad30735b6c42f81d30d50162330603753b0ce7705506918d0bf3bf9a52ac60f8fca570cdfe87f0d6dd46cfa3064d5a1526d39d81a053571b434b1cbffe1

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\el.pak

MD5 4009c890acb9b81928e6e1a4b593dd62
SHA1 83083e9c948ebba18fa990e230ee33fceae43cbc
SHA256 897b6fae230e6a3cd14e16eb537f96d820950f5a4537fe146a732ab028b7124d
SHA512 b4c87024d3cd612b8af6f73b31853936614f4315ba9a48b4687120dc64e1794c568c4e074e41ae6f8dedeab61484e145dc0ca3bdb95482fd85492fddc26ab6ce

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\de.pak

MD5 3a9f06d1708b7620e2639851024ed0b8
SHA1 51c0d824bf38250ec0aae58e63141489931f02ec
SHA256 91da97794994f6544707299fee6b775745dc3891fc879d8e8a05844c6383eb53
SHA512 08e80783de403651af208387a3191db30d1353cc25f310c917a1133b2622e4b6809bc2bd881517678e9229e6492705c5f45be3e849c0512c4a651c5b7026c926

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\en-US.pak

MD5 d47cded365a28d27906414035c1cb3ca
SHA1 429123c86f6ca48a89bedc9a26027e01508e6db9
SHA256 46958caf9847e33a11593ad024d5a95cc696edcd4620cf07e7b2b78c72b9c00c
SHA512 1a16d784913fead116460c9ff42e21ae482865cfe2d6ed1b1296496e46a05e513f8d048fa4d245e7a82ef61de4c4130696d5b1c647c918995f6877a888bd0853

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\en-GB.pak

MD5 ceba44242f8b24b70c9b59b5094d8da8
SHA1 84e16c522ad397289a923e5cd4b012e2d323af4e
SHA256 b0fd61679565a7649c90214efecdf6e1231a8e7895dad93452bfa1425417d5b7
SHA512 31cd936157a7408a43dcba597f6e098499dd4c5fc011ef818ce93eb7a05c9d354229c3b2295dbc290a6d3f3600373f18f75b334ba9013a5dc0be44c82f2e51bd

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\es-419.pak

MD5 ae62374bc2e71d9abed6e0c1d4bfe309
SHA1 624a8210376e11814485fe90a8825bb6ca883188
SHA256 48bd8f17823ce0f0a6f1c9fda020d5b5655e2419634f92725ab263339d9a321a
SHA512 345794d617dd3aa200ca248566e9ba36dc846af9afe259545b5a61e787b1b52e112c7eb68bc025b0d2076790a4b77a82a724bc213fad9f0f38db6054332bfced

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\es.pak

MD5 070cbd6f42db1cb9b6a2f74e03d6b124
SHA1 f8830e1c8a601123d85fd75188ed01833f910691
SHA256 91de93a4dc9c9276b9ee3ae498bdafaa55fd464c1f20fdaca84c4b79842327d4
SHA512 2ebee4e289eb2a19a97c86d1abdc1ad53c6a76b8c1dc28fc89cfde236c4abfbb823bf52573cc0848fd76ed9e0ab2d49def542837bc5c474ca1593fb5ed10a390

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\fa.pak

MD5 e5d53b9d5756871d684d018fb0c745b5
SHA1 b00a40704c91b33c2aa0f6829ae3dd886ba7177d
SHA256 8b93023af6428322b9b13aca5da9bd395a9c4775c72b758df8eb564d35d15cbd
SHA512 e722f114485cbbb5284d23f1ad1061213f40083c5da2ac9753e1416f75f7cee9d8315e6f4582322d992beb9a8cacefb607ee0b1737e3a6da775fc059a17c3fb1

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\et.pak

MD5 294c830b9e6667c8d5e7287cabd6a4b6
SHA1 52f44b97b71624bee6360301e8f6f34cfa428e72
SHA256 198674c98f10c36205161e382cc31560a4bf0de5f597a0c65f7f95777dc9bb24
SHA512 ade98fa9cc25148979f325660ed3f0f649a38709ea34b759796c4e202b3c30e76da3b8c17ecf2e1948db4a5be26af23c3a6e6b28f9445ceff68d251a5645db5b

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\fi.pak

MD5 925f45e80be419aa0125096ebb81a23f
SHA1 e73a32362952dc0aea997ee408da090f1886a438
SHA256 bf20054eb68d3d67d17d2a8c594d896c9c33fbbd562535d0c7e6cf6c940a8732
SHA512 8510e2e9749b4342eb8d79bbfb983c43293f7f37d138464c96053a79685c578a148dd54013d211b02115256f174f51a74ca9155883055801bbe146053de52eb0

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\fil.pak

MD5 a96f6f164897e62c984e9a61f6c3f7cb
SHA1 3ab2a714eb8e9b57e8a39792d152606ba0ef6a3a
SHA256 ff21df22f24c92a06f6bbda2c70b57e098d7bb6754988a5ada087aed9bc8b8af
SHA512 cd522884b66c940d64eb1377f9dd60143ae984fa7d144aa9d83b82a006b5da2ee9eabdcf046d362b2096d8a6b8486f36a10ac9f0642bb8cfb1e7903fda4c41f9

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\fr.pak

MD5 fe0ea306a7b48ee2750af3a263d9f3d1
SHA1 877968909cfbbe499911b4d8b807a593c4be52c7
SHA256 955de4737419c06609227c63c2fbba7c8abf497fb976c99a4dc9f5d5105afbd1
SHA512 07978311caa9be82bd398100d1d8367c5ca840ffcc166b73aeea0bc7c86b53db13bf648decfb3f54a43b9d199e0d98fcd29fdfb291a703502369b025eccdf872

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\gu.pak

MD5 cd212ed25482d2b5a246440b62c4fbbf
SHA1 197f3616dec4fb308e0ec5a17458ef8a2d027cd1
SHA256 0e8762ac08963088c33b74ee790df95370bbfc298bae8abfb87eb1307ef46d37
SHA512 207d3e9a6bfbd3eb19cf53a0a300eb0172ecb872496d627ac5b55b9ea11d52f24f01393893450fefaa3c42bb481129d54e552679f2f67a2af0e117d12464601d

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\he.pak

MD5 06e89cfa4c6f4bfb7aaead492c4f08f2
SHA1 39d943e0eb1637cd3f5a7b66ebcd28e76c89aaeb
SHA256 6b7937f16ae53457ac9a0c18fbac68b2076200b0fc98cb781415fdaf18c49301
SHA512 8b6d33657eda8a3f1d1bfd55135de88953d21916e72df646fec2b5f5b17e9e15849f428b0fd83143f375ada174aa953be8f07fa8ba90ca4d07dd1b859d034b4c

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\hi.pak

MD5 e3b31e519b925414176ef2d9546c356c
SHA1 7cebb1c5fd9c78f704bb9e5c463f67c5426d0171
SHA256 82fbb97e7d9634df3c806439e144cf8d153d840bad98f6e790726841a91acd13
SHA512 fc3e735f010776cbdaba1592e6f685a1fb4773ab5062f5ba9ed95d9bcab2f0ce9ab024ed95158263450fc58c3197b84e38883262a588d6d92c4e623c61b4d200

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\id.pak

MD5 a20c777901a144622f8a5520583af79b
SHA1 3506f8e07ee301bb195eb185032ebdc7fd231272
SHA256 fd44af213520242ba41f4c9003ddeedc71f923cb37e25b14e595f3e652ae18dd
SHA512 6a53bc2f5d0e4660767d21070d19f0c407fe676b9e9cbdc20e6016e333b2ad33da225bfc2833a0c0724e1b6245ca6ee3cc0e782ac955d6aebac3dc468db79a1d

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\hu.pak

MD5 40807c6b0eefd2a2f16cf0ac2c28ed53
SHA1 1b416b29e59ef41e1f18b168947e42b7fa969d2e
SHA256 533ae7e865898b61ecfdec68c581b3c4858f2c3ec1fe496ab02c61db0362d941
SHA512 487cf71df0f2e59ce1151c146651f567b624ac0e48f770a2f1da76b27933aa2bdc30990788e2dba4543a11b9e5d3da6f31badb26d7f3a5c87088c5b4e1bd7756

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\hr.pak

MD5 92e6ef5db4c0191282ce2dd3645461ea
SHA1 045d3ed58a625516af741c9e2f85680fc1561ed4
SHA256 f8d6694f1c05ca259a31e0427ba7cef5b57f0c4b33493fda21003911a5da6f07
SHA512 08b09857f173ef2a3067d60120167223b4ec7414ff6117d206bb12213ce9563c8d7923fc0ce6e7df0ea5d8ae2b3ded2a23993ab43bc46bea3c08df1bf59e16ea

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\kn.pak

MD5 f4c1e83eabd580c0b4c63b2dc510ce6a
SHA1 fc1d9fed0f073504b022606e424e7cc9796648b2
SHA256 79fd72e764a1d8ad623892e563e174463f29d6ce61a2ae29af102d71da4b8e25
SHA512 927e6ff4c7d1c28c89afdf44c62643740a94b01e9f6e927e543834c833e1b4abf97de1489c6717f9054243c180474fc695a70c4ea8852d95c690f38c785705e1

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ja.pak

MD5 63cbeb056020b6ee8cfad26c7c6abb79
SHA1 99bf018555eec56aae4b19d10c85ac506f4164a7
SHA256 aad9e17b2170b76248d61a3bac9b1bebc44b94885403ec2cc21a31397bf029b4
SHA512 5aa4e764f06f0e8490dab89a8b3754cccdd41739b4654ac8e30de160cad335f681fa5dd7782482aaf66ff1d827ce0c34df85c23c334a35035a3a4e3d0f305343

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\it.pak

MD5 acfd6f4b73b87455acb703e59303db33
SHA1 70eabbca61eb365191cd1256f3be40ea9223b2d5
SHA256 cae7bd535284f5f156c1466820aae2bcc0b0c0ba378ad0f04eef3a145deed9b9
SHA512 bfd52bc383f1f5a7d559968bdd779198c81286796564499174c3b5b9bbc7112f427e8316f78fb09ebc668c5cbf94c89c37e97abb00c9b87b5c5c108028fc549d

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ko.pak

MD5 626e172ad9b55ba0a1e2802ce5e10d0d
SHA1 ecd855a47448609e8e9d7bdd80f92edd494ca77c
SHA256 7111342770c33aaaffdd6fd9ef15095a6d89e48d2468c19172c0eb9b6f26ebdf
SHA512 d42594259929e35b763e71cb7022d34a11bf75a4b9bb058e251cbbe8e80bccdfb284eed1c6367f98e3023134c24d50542c64673d80e29230fdd057de70a10d5c

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ml.pak

MD5 265d7fbee9a021895d51209dc0181f90
SHA1 30e37013971bacd3ee93ad2fca01cb59a26d6a87
SHA256 682463d4a0221711e565ecf409893536d727650efd2ed0563c722cceab66b1ad
SHA512 028e1ad499b20ff7cda822b91f9b8d1cbb1efe108b7236d817b73a6f8e518b5f4a8ae77d653ae5c9d799842eaee3915250ef56f634f847fc5fc8a3b36eea176c

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\lv.pak

MD5 df9985ecfc958f343ab7e56e71149d71
SHA1 fc0d2c4a194d500a1f4cfafcd9102186016ba5a3
SHA256 7e17246e23ca2d0241d56d91b5d5e6bfb3ff4e08f1a3734f9d032b4191282fa2
SHA512 0dd65eed7a5bccee0ac5e2826f0cceed848dff0d0d41904e00d35cec9d96fc0b91a4eb54fbcf0bbba61f89848562a606f9f7aa827cb180abe7e97a2e77a29309

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\lt.pak

MD5 b02bf54687716b5d5f18aee02411a980
SHA1 4cf766077382c49fb89d59d861de0f482f989798
SHA256 0b0e3fcb82ddca52f9eb1ff9e1ee224639ff81f1c0af6ded4e21944811babc0b
SHA512 aea879ac96a5719e8988011a7b82726bf51a24e170e260182146191f43914cd50991928d2283277d173ad650f7cfb1246fad9445260e9ca0769052079d431f25

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\nl.pak

MD5 d7048d029ab3ff807dff790113328574
SHA1 07872f608062aa482532edda0dd2e1de31669380
SHA256 0e9c114529b9ec20118bb96ffeea05d1a408e4eb621e3fc65f49353195d1af96
SHA512 050b0eacf5b4da024d1a2af54f3511c4671756b0dab3f961d8acee5d1695eb29fba7768246dd5b3bcc253136df97e49a305832c37943380dc337776cb1fb1549

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\nb.pak

MD5 cf18f58e8e4e37b2e5fa7ef8269a294f
SHA1 c60d6e84f5cfe4cadbf4efed9b5998307b20fb9f
SHA256 3f1ed8ff0207c678b6a0a98e82fefd6340e35b7d16689672dfa90d9ee63921c6
SHA512 8f336fc50943d693ee80475250d2dbfc1401c615da571115f2c02551959028125b91ea6ffe22171dd12241688703e1869402146ef4e85a46059fe022759da953

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ms.pak

MD5 06f24bba6fa8e9a009b3062227d4c259
SHA1 f50b0da2a86a138d16022f5642d96ff1a3ce7568
SHA256 cdfcbd86ddf584621bb2966c2d43f18096f974edb795cac0d1db43a60f3bc24c
SHA512 02239741f103c8b63072abab475ac313cb48612cac36890b7946fd816028fcba9be7ecc17ba5b934016d8817c52855ef208bffe5191d0eed35aa5243527e2150

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\mr.pak

MD5 af7c7d72a968e1936f26a3c755157f6b
SHA1 2ec71950847f5fb4b85697b6acd05224c28bb092
SHA256 e5702b9578435abbbcc922f1d4ff8c5a345856926c2174c329e228987c3ac7d5
SHA512 d265eeee96adafc3ced76901c9263bc1cb349caf925a02d5deb010c02843fb653a17e1e8a4e942c9912f654316c4a7a1776e6a7eda56ab82ae9d4d077a58a929

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\pl.pak

MD5 4003c253ef85ec0ff8a65204955994b0
SHA1 af3074fb622445f6429899cb33a33bbcc60e5e5a
SHA256 4db10dace60cc56b610a7f92caebf4e7e98ddcaf8dac4f5a87db8f750f51ef8e
SHA512 5624c8f6268c8a8dbf1a69a032ebb89e670685cb736a3cb42a65e2dca118a85e076818b58ba2e392991eff7921495167616107f402c841a8456b5b5888b70ca1

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\pt-BR.pak

MD5 0711b3f59ac95761899b013b3b242c93
SHA1 73fe7a4f60a6b92a966f1177c71bf85c6f95004f
SHA256 be445bfcd9429570e5006063b1c8299a41e762e8e0c2b63551bcf16cb6fb868b
SHA512 aad5ff84d1833db418a46961a5e3abd040e19e5a87bd6763039f8db7dda19c3cd9d7ea862585080636c2888ab1a50f2ba579cbc0ca0df8135537f1cc7543882b

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\pt-PT.pak

MD5 fbff8ba7e31acc6c26c0e4b7277cbbd0
SHA1 b9acdcbe2f0f429474acc4dd883d668cde9d3165
SHA256 477d6666bed083b27335a479c71279ad41a674f7b6a412ada1bba18be542ddc7
SHA512 ffdbb2773f18038f5d4cf145f3311feae25110ceb8efd9c895267f98acef7e901dd7d843f7c5291cd333fc81b80da301d0c92e5c0d6857da7e4eb68a5a0c540b

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ro.pak

MD5 5d5a27c52ae905fd85f5d50cb793e7ca
SHA1 b858bba1ef66c4d3943be19a4bf8a508c23e6671
SHA256 9ff47f6890b3f543bc51015f263e791d8a3bc332098f8cd8199852fa131fa579
SHA512 f4754951ff0dd3f1ec2c0859a93422330145f9e4e3407bb7f95863c85227b96d3f8af449c0a051b60f333df3695eea5df70fd5f7fe4916e60eb6f7c4c21aa5e2

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ru.pak

MD5 4ec91cdba9839e214ef7c008775e9e6e
SHA1 ea9f0f22ee1bca09ac38c01300cc91e2fc8aee51
SHA256 64f069a34be4966a9c28361e1c4914ce23bf96faa3bb5533fc3d233bfeac5cc1
SHA512 8c49ca910bfff175a4d88778ea34437a5acb0d52e349160f31091bd33d8ed76524950fe3e0f508c243ed76b289a550291ec68a7e0c1c426a64fbff0579c94d14

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sk.pak

MD5 b7d16d6702d4b4b5d3a9e4c3e0e13eb2
SHA1 6b2f1591ec51c4a7cf1435fbec7b5af94e0b5d4b
SHA256 e93580dffc1715edb37965c5787048e3e282d0477f277668ca7f49cfda7142c0
SHA512 a09950a9bb3f9814d946857e32901a9b6d73b4862a85f00b7f1f035ce0cab5af4ebf3aa003731ffa8ccea88d71866ec01d9ce578fc0b13b3cfdd3df332a0c40c

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sl.pak

MD5 48ead6e0160cbc6cbacb247cd3643110
SHA1 b39a91bb90f26c74dbc9fa28b257b705b54f2b81
SHA256 fc4cc46ff82cb8a41181e825a3d4e4508753fb68ff01a60486b7df4a4e11e89b
SHA512 c037d352d315805a18796a121e47c73d37d68e735c9334e11b393235ae75b803cbc03cf7cf8480683bc68c9b98fba9f5a7b045b650598e5d9367ab58a24e75f1

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sr.pak

MD5 5c811e0c9b775886bc11b46703cb67a0
SHA1 e9a777cc72263c7e7c4bfaa36e41b29e405a2a18
SHA256 4c524e149c02c37034ec92dd90f20f463413f2650ac9f32d52ef7260f9a34f1b
SHA512 d7db44fbfff3e3204b92aff44dc02c184344853d85fd79cd962bcad8efe85a13d1aaf9ed69a6e81fcc6e690afa4b1ba7cf1764225916f398c0f960d56e5bc57c

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sv.pak

MD5 b75471d16a5b4cfbb43ea86d3077e63a
SHA1 302958743c97218d13a72ade3a22e4181922531f
SHA256 ec0f43dae8e52169396f289dfeb5d49b7f9258bafb0ed3060dd652fa744e5264
SHA512 63556f738df1527ad96cca95f3e37934b054df83cfacd4e120745ceeb0536d4bc1919c66acff3e5253a62824c032ae7e8f9496df13b9ccb6fe00f67920a63cb1

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ta.pak

MD5 22949a4acb6639bc4fea591bde3f6cec
SHA1 672163723e294a5242e9654470e1efbb3e8aa0a4
SHA256 84776412fd7f2cff26713781be937bdb30352f9c7eb297ca811241e6cf4284d3
SHA512 5e3ee2d29eabfc4398b0f9784064eb03b3c3e13c59f4fb1b857c612727eebe1a4a1bcd76503b1356cf4b4d407431a643503d9068f61f1ed05041f3aad325262e

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sw.pak

MD5 912db9e797ea3e277f18e72173f26ad5
SHA1 a83461503becad16ea0d33fd5501603688a65ed5
SHA256 89d1245c645cc26d67ac0f556734ebeb99b436cf19edd3cb3b220e78a87796e0
SHA512 b5c334b528ba6d26dde9b4b1100c01bd1675cfcc7167a9bab4d9fb95584ae629e9567ab3a4729776fbee22ca927d42e04fa016cf3f9fe510edfdc340309110ca

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\th.pak

MD5 77721a07831a7aef49934706398559cc
SHA1 240ac6e472ac7312f02b99a8d588813d3dfeb468
SHA256 e8cdabe4557192a6ad7040de396d807f96f50d6ef256dd04972211b9c898bc1d
SHA512 f73be17166c7a94c216d13d837146c3c72a5e205688479ce8199c8cf468eb1bf780f2569d42e908684f0059e6ded370428d9b123389ad2cf1553a0aecd1ef06f

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\te.pak

MD5 f0a8ccf00882e83751fd666876c937bd
SHA1 6fd5045a20bdb912f61dd38f4d046b333bfb03c9
SHA256 65ce3f1fe059a8d8b67cd47485233c6ab3870cfbb313241fe0f24e948bb0f158
SHA512 8ea9f2215ac8354378aff1717ef6f1ba97ba8bcc1c660290d8a070c9a7cb9b0e1a87b8e37e68cd71d7bd429adba8b17c6cda68508b7389e42841fbe2f9c79528

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\tr.pak

MD5 41bc209ee64f56f04836fca3e2de362d
SHA1 c019805b555d4c24c347112a583ac9f9bf2ef142
SHA256 71356710c485d7db228a866789ce9d253276725d94a4e4622e7b82037beb9825
SHA512 a65c4f9147c5796567e61b0661b4766c199f156541a252ec442fe5b5e3e1156c80e8fc7cfb6d9e55db4c5f60732b55cfa74a65e7dc46fbd5a4e5dfc8f3891add

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\vi.pak

MD5 e6db9a8c61dc84aff75efc00b486a8d1
SHA1 6d1f0329f9a44b64fa3474313c7bf207bfd78557
SHA256 8ff2d05730915c1b15a97a3915c03d83239c34771ed661ccac745fb308901f14
SHA512 89cf188b5d21528166353b29986f5afb9aad9a51a57864951f7945124b157e0129125caeed58c70568e38f7ba3a34a17d10056902b58ba48ee2e4e10a4649f75

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ur.pak

MD5 157117641502b63c89110363dc7083b2
SHA1 fc86039a03b2e48fafc70e1cadc096fd46389af2
SHA256 fb7cd2f4beeceaf445f4d299a3db26cce49a7950a37e5a9b48fae7f5a8e09f99
SHA512 422d92c5f0b2b2f9f35dbb7c11cd1b463085201912948c61222bb4f43f8dfd777fce678f04371df53ab6d07ec14cfbc9e4b1b084a72a0f2aa80ca7a4728e6359

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\uk.pak

MD5 7e2cbb9d3591278a76dd08364d3dad4d
SHA1 a760a029070bfe57d4ef273b705650cef0a92f61
SHA256 38616b5f7f939a84d5205e758a8d3fed024a8e3fbcc8159c90666ce650ae1d30
SHA512 81e5ebada5990d79363e2583efdd3ccb19d8a10291cf6680d77d7c399816fe273a4fea5a7cb5e55e11f445df46a7ccad2942dc04f4fb8b6f66d2f2b151374de2

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\zh-CN.pak

MD5 5356bf9ddeb7ffad20e27ef092dac528
SHA1 3514ded7211ff71297c87275ef0805588da2d47d
SHA256 0b6f0a9ded5734b260c1c02d7c717305d139bded5ec7ea80de40b641f13bfe0a
SHA512 887be5ed95b40d73e0f61f4b3e85f8a77d4bf4a222197b9d1c60711ae8481efbf9c183ba902dcbf437fdf70381bd232fe9c27cf0ce87c0f45b283b75b6d19962

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\zh-TW.pak

MD5 9c51b828271263d574382077abd2e2f3
SHA1 4de07caed06477855e4f4bba1d0d1178c5757171
SHA256 21550464b12c7f9b23380acf7ca2b42c1b578581613c342196da95908f14c8af
SHA512 0e6921dbc4be8d5d98bf80e9b0f8c7fc31cb4e7553ca76b9c697a3f1428f855e59ee0dee99903a5215dddee9375532226af81128f066656d98db28a8d9738604

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar

MD5 3b2869f88147288c90b1155d46f2d04d
SHA1 faa43a7df73900a5149170693719713f702f24f3
SHA256 8c800406762bcfc40932a5f55c99f5cf90af8eadf09283c06059c1c68552d9e8
SHA512 7b8b405342b10b5989966b40de5098a67a90f2380c37d457793ebedf677a27ef1bd5789446e9f695dbe6500ae7794791d4a9c144b7488ae32d9f635e0a1096f1

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\versions.json

MD5 71b6f79d28fe95b4e63bbc509ef50f42
SHA1 c44a2b2fd2ccacfead347a4f47bc150356118979
SHA256 2c9ea5e852f8339c7ba4c6577cf6216a29d9c45f7c7ebe46bc0eb4f9750574f9
SHA512 6bb14d063fe0ad6e2419b07f8852dca298db6c253b701c8995506b16ff946ba6ce7d136ce7744b92d544169488ec3a3ed110d2347c0c82e2413f7ec222b38af0

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\package.json

MD5 8a6d6bc233909ba6af13ac6a3ff3a0cc
SHA1 aa13757b831c934f625f8858dc4dd643a08c67ff
SHA256 778a81af264b8dd8cc2c593016d07d88da00acf6468732c8b4b55abbfb8e682b
SHA512 8dd5471acac5921d9e08b2b937fe1bb09ef49f0a885ea3ff7369127476bf04065a977e2fbe7a26e52fb0ac87eaed4268e782fb6a3aa393200de519c9257c446c

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\LICENSE

MD5 19cbd64715b51267a47bf3750cc6a8a5
SHA1 172ca3bbafe312a1cf09cfff26953db2f425c28e
SHA256 73ba74dfaa520b49a401b5d21459a8523a146f3b7518a833eea5efa85130bf68
SHA512 f32944d2f94b018f42e0138eb9a1b7df3145beb1c7215e3c0e091bb07a083e3c23c379d47881da00a51e244d9c3708119aefd1658c988c1487923c7ba932c246

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE

MD5 79558839a9db3e807e4ae6f8cd100c1c
SHA1 ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2
SHA256 7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c
SHA512 b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.node

MD5 1b516fab2c5e25b0bf6bf3bf3a885525
SHA1 3c1bd2ddfaad46775ee6df5ff07badbc510d1c10
SHA256 fe184de118aa33421af89c43c93131a3a80027413e98b466ca56cb773c617e92
SHA512 dd5977b073dc3c6f05c7ef2506b7f4dac2410a1c729e4b7b42c4c5c31b1fa3776d2a1592139966c63424ef33ca685e50400617775a162277a9407b8ed97521f2

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll

MD5 86bf2c651e8cd92b2fe72717c1603a5d
SHA1 f4986ed8279083237906307346596833eac1e713
SHA256 f7b1d8dc48b836ce4a2bd1d50321625bd920245bf0fa4344db885fd45388f7b2
SHA512 38ca4fc5bbbebab6cc8c065db2c799a948887291f84283c5fe094a2e72d39c37cda23a866110969b7e4b5351e7f64c258ee9b8ed7d1ba9660ecdce00654a4644

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll

MD5 387b5dbed94e434a6723e38203a7d2c3
SHA1 afdc7eb5d080e2752dc63bbd3f92d056579a2827
SHA256 92076cb17f3b11bb864dd103b4d8f5fb7580fc63c13a417b58f51dfa50ac7751
SHA512 241a92d2be10668dd7e50945f2852a75e2fd51131604996c4567b316ed9bf0d77af6e3cacdaae40bd0c9c7dc61b5d8d5e7cd7f2aecd507c4a9fd2fa19973832f

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

MD5 f0a82a6a6043bf87899114337c67df6c
SHA1 a906c146eb0a359742ff85c1d96a095bd0dd95fd
SHA256 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
SHA512 d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi

MD5 92c4c5168a6a883f2a69ea4a1a37b7b5
SHA1 6dedc03d603631c1f70c626f5ef9d8ee6f342efa
SHA256 7b557c097c162c9ba04985ab822f92a176bf848c34ca38e54f061057ad0d8bd0
SHA512 904e605fe5bf1134031edcadc91ed55bf72d7fb1c862f99f25a672d29fdb34af22d4114cae389a853d703bc35bfc2c8429f86608fed5eec897c115ac3dea8de5

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json

MD5 f9560f0fb25f1dc014682359373146c4
SHA1 b19c6321292cc63d26a18bef5d80787c5e57e746
SHA256 b145c00c63dde4da0eb3736b0d25fe79fa252a02daa9c3fdbb2d3a5783e98cf6
SHA512 dd51dcca43554f27b2718f87661cdfc86e6a51b36c15574870d793fa358f76816423c0ebcef34dd9a7fd7ce42e6be18f834100a327cdb3e6eb8dbd9d65792262

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp

MD5 0e4d1d898d697ec33a9ad8a27f0483bf
SHA1 1505f707a17f35723cd268744c189d8df47bb3a3
SHA256 8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
SHA512 c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3410100.tar.gz

MD5 c6d5034cf39232299ccfdf8e3ddc5781
SHA1 e77599a2df4c5b114c942ddba4483550d8982bf2
SHA256 4dadfbeab9f8e16c695d4fbbc51c16b2f77fb97ff4c1c3d139919dfc038c9e33
SHA512 6e6dafc35b8b11df3cd3bea48aaf84a102893242cffbe18eb7b111791563095111a2a8a5632636b8f46523d98d16e2b48dab79ee6707a141b22c2e6fde3002a2

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js

MD5 e5c2de3c74bc66d4906bb34591859a5f
SHA1 37ec527d9798d43898108080506126b4146334e7
SHA256 d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
SHA512 e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js

MD5 275019a4199a84cfd18abd0f1ae497aa
SHA1 8601683f9b6206e525e4a087a7cca40d07828fd8
SHA256 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
SHA512 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js

MD5 ff6a0462767c6bf185a566f4aef65ba5
SHA1 7a3c3ee6748d00fac6e51e366518bb48a41794bb
SHA256 049b7b1b10417274be6c3e6a9518ac364729354435298d70abf834c35e8f3bf3
SHA512 088d706f5a18323128547b0f126564fb7fa7a36dc8365ee8287663b2cb63da2d02a991bc5cda19af24da2aa063357c25f21347835f9a8aaef341b33bd21127df

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h

MD5 283f3987e0e65dca1b029bdbb625ccc2
SHA1 285d7995459c11a47e13834ae3ec0167eacf7d01
SHA256 d3956cdbb650e1ecff8c94fe4e8645f80e10088156d409703c19f186a9c41aa8
SHA512 ff5c21bd53bf75b33a5430d1abdc8a8649af1535ec02aa5fceb91ed1189e44f0818e25556946d3ad8032b077fa30e73503464aff219b42cbace1ea3f97acb605

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h

MD5 7fcbaffdc03bb5164fbb27f8552dcf5d
SHA1 590e3430c1dfa30f241d56ea01f364d5b9e7e991
SHA256 b6e86bf43d74c8ee2c2f57eb1947be6ce5d8c258c4866609571ed6c97b58b53c
SHA512 e44d4850651e0e070d3f686db3d3797632121e32dc65b869739c0b45cfa13c055fc42d650f04c41915264b8772fcfeb2a38148b9fbe21a001af5a455854336b5

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h

MD5 592ca8ac280135c059c9ed651ac738c3
SHA1 ac8e8b5e835ea2810a443df2a57f3bdc3c60b2c6
SHA256 8d1afb5d27eab8302de08aca87eb6edc1b99ae963a854d3bd652a4fc61cbe3c6
SHA512 b4e317200e3cab4dfac93e684150d21f7dd89a656f8a9f576b9cfb22090e8db6c458008a4a1406121fabdac034cfb80200a740d0caf6ec63fbf71ad2fde41029

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h

MD5 55a9165c6720727b6ec6cb815b026deb
SHA1 e737e117bdefa5838834f342d2c51e8009011008
SHA256 9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
SHA512 79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h

MD5 f2a075d3101c2bf109d94f8c65b4ecb5
SHA1 d48294aec0b7aeb03cf5d56a9912e704b9e90bf6
SHA256 e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
SHA512 d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h

MD5 13d7bf3557e57ef3036bad68cfa8faae
SHA1 94c1af952f38e9f1ad2d722ec3a063fbe666e66b
SHA256 2c99d9cef21876db64b610dd9baba8de1f7c94028d6d1c463eb3db213745b3bf
SHA512 63e4543833d602b0c6ad9c21438e61782c252a5e30b776a9c942e1ecc34c1a7c471a39195caa20aefb072add66c83d99af902d620857d18ddad196f4f207a161

C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h

MD5 f023c6c0baf0411cb6eef0a7b2baad13
SHA1 748b78bf3ed5adc11e83f705033d8338d7eef2b5
SHA256 8c5bcd084dddab2f2994b6cddc9b69a8f78a1034588b765e7bd859f27868fe43
SHA512 08648cb37c0284799bb98fa2eb1abb508c8b992b43425203839e1e7f4092b7d2d7c83f6419417281ae278d3d61ade0b65959cf12f0c449a9688ee97749593dad

\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

memory/848-728-0x0000000002B10000-0x0000000002B12000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

74s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

38s

Max time network

40s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3410100\Replace.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3410100\Replace.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

79s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

58s

Max time network

66s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

71s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

debian9-mipsel-20240611-en

Max time kernel

0s

Command Line

[/tmp/sqlite-autoconf-3410100/Makefile.fallback]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3410100/Makefile.fallback

[/tmp/sqlite-autoconf-3410100/Makefile.fallback]

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240903-en

Max time kernel

20s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 220

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240903-en

Max time kernel

31s

Max time network

19s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000be825060eeb8e568f640584a043f321a22aa42d55a483d4dcf050ca4aedfaf29000000000e80000000020000200000006be28303daefa78bc157314d16db31e992ff99473426def2a096c1c0a8cc38c120000000837741744799eee7bdc7488595ff966a0aefa94d3e7e040cb883c47b699db6a840000000d0c087efa9edd64fb10bef847af261488632c4abe4c5c6265aeaf3723ea892c2a53b432b1ca5d3de700b2da3ae2ff536729e754a5fbddaae15d0f5f15bbef0ec C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000008fcbc5d041525909b7411dc9237c722346a6209dc345e4998ff7025b827877c8000000000e80000000020000200000007e43a2a998820bb864272398e8e9a2df8ccb8f4aa10bc041d80dcac16e16c37590000000ef0583ed6d1fafa5691dbbdb107ee0fe117a3633aff21d393e72552dea4210ee267e6ce14519f44a8ecabd11ce494ec13cc081dd9d2730ddf7e71c4cda37953e11e05e75f8358ad285dae9fa31201807cb4c998c40c5e16c61c4c68dba45440d12c786096f6e16a0fa975355b8d62ac87c0212b62d926af9bb0e7c556dfc6b69a5decbad651667375a6024358e1395924000000089028169695e561f95a98296b0e403cce44e8abb5feb9729577cd920b27baf789df24e056faac54ac488cee42717dba37e8b8f30863b5cb00aa0bf33f0a95695 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF461531-A1B2-11EF-B945-527E38F5B48B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09f51a4bf35db01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:2

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab348B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar34EC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ab85121dc5401c5e7604ef1cb162e34
SHA1 edb64faabfd5343c91812b24423946f8761cb1e8
SHA256 7148e14922ebf6328249cf9dd9239173c0de75c965d8cac09b5d97f057e97864
SHA512 c1c16bacd3de89997dc1535e52f0004480adda0d454b4ecc8ebd85f6248638f438618f7d8af648eab11fce8b0506567f19fc617fd2505672ab858e39df400b62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a05b78b22a6c50b9dc623185f47d2cf8
SHA1 e4fa52c0f2fbe00bddb522816dd611edd500c1bb
SHA256 df615decf897b61113e7b1766bc6cab985e5df03598c9b71190915acd5c8e79e
SHA512 6935b3eaec5dd8094190cb7f6bfc379bf6dbef5e09efdbfed7f76dbbe5b538b2dd21231d26c1649dc492932f5396f24d9fb13a9508dc3181fbff692af6e46daa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e18899136845d460a10536bd23dba3d3
SHA1 10418eb9df43a0e12e6a4dd45e3a6b47216bf229
SHA256 2c52554632a0cb595c3a22aadebbcb9b0577c02e199762bbe7f598a9e468d2cc
SHA512 6b1e57da85ace06548d5ec1b13fd6119c4c259b1a546c430d16a94961b5d07d2fcc084891313fcae19591c8c691bd17f9aaeafffa2d2999e48618be5fcc7be74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3477083f19172f8deebd10ae98b66405
SHA1 7704abe8f3bce54b011c96007108d85a7a732930
SHA256 781b92a3441cb7a6064ca04be24ccd0e8524b13265c120505bfdd69e85e98948
SHA512 9bd52febc1edcb525d198cf7e02878dc32d6194641bda09cfc46fcd7bb5a1c68753e0a383e8bace698d1c2f615bbd3de337d5e42e50e2f482a4de734d4091e33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 277d47b643f3a090fe18c405ee5dcc60
SHA1 2afdd562f9aaa1159fc4eeb979b80dc313d12404
SHA256 143b63448980b42719415ea760d7af1f2c28c01af593871649654525cd39fea9
SHA512 b19515a170fac2524ec7de11bca24c4b61baf25764e0ac7a543b62194c8e22834ea1788af595d5356b1fe04a86a541e28f1a10d8bfd858e7e264768771005670

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ff6a1a3eb80be35f99464f93b4116b1
SHA1 4b0a88509a63fb4cf8a3b8d78e21db4eeb4ec706
SHA256 85c1aaf71e71ec8ceef74789b986872a11d0ab3c697d545296c4eb8d1dd5380c
SHA512 485e9e4134b7b34c74f09e9d23ac33eb3ca9e21727418fc2d71797af4a8122a696e1d0ac192b639927ba03534c635f237f300068a4990e60c368319affb148b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 078d7e75e0f8ecfa07d347ee6467a16a
SHA1 369d8b77673ff9bf0497f2b92928b2778bb5c798
SHA256 3844e1d2a2455e10c0441ecbd8bcee59c499d239db4aba39d878f478dd0c7761
SHA512 f34fedecdd98e0dfa38ea79642934d64e9ef54e39d99fa2126fda740fef4788b1f37c7abd6f5793b5fe5cbe2a980a43036376f8d57c785db8e4567a94398a298

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8131220f566c9ac3203215c508ee3bd2
SHA1 ccce8aa9a34dfd58ec06b7cba715624baf69cfca
SHA256 f3e89de8e48e125b99b2a68476c864757385e73963f16880ad4e63fe7c47df7a
SHA512 160a309aae9926e237d86d32a572e64f5303c8fdb68efc34ed45524f46fc3be8765c8b6058d6d68da10c30d37585aef971b7be039ada96abb89bf93cb2713d95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93e1ad6d5f24c46a12335d798938b219
SHA1 590c2a7735340c97002f946868daf72eab6c36e8
SHA256 059b70f943e2e95ced39448e75f50e1c234a068203b1503ce4cdb28e66bad164
SHA512 d0f90cc545ef4e9aca683caafb10d8517905b5e05022f8df175ce1310ab32d6235c5981b05b0fddd10dc603a8c77924670dd8fb35f0c2a2de8a34259ff6b9697

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20241023-en

Max time kernel

7s

Max time network

21s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240708-en

Max time kernel

21s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

72s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20241010-en

Max time kernel

7s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240708-en

Max time kernel

14s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

33s

Max time network

38s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 4520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 4520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 4520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

67s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

60s

Command Line

[/tmp/sqlite-autoconf-3410100/Makefile.fallback]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3410100/Makefile.fallback

[/tmp/sqlite-autoconf-3410100/Makefile.fallback]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
GB 89.187.167.5:443 tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

74s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

31s

Max time network

44s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 1984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 1984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 1984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

68s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/sqlite-autoconf-3410100/Makefile.fallback]

Signatures

N/A

Processes

/tmp/sqlite-autoconf-3410100/Makefile.fallback

[/tmp/sqlite-autoconf-3410100/Makefile.fallback]

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240903-en

Max time kernel

15s

Max time network

21s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3410100\Replace.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3410100\Replace.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

61s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe"

Signatures

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4988 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4988 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4988 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4988 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4988 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
PID 2144 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 3088 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3088 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2144 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 1328 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2976 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2144 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 2144 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe C:\Windows\system32\cmd.exe
PID 4992 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq roarkaot.exe" /FO csv | "C:\Windows\system32\find.exe" "roarkaot.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq roarkaot.exe" /FO csv

C:\Windows\SysWOW64\find.exe

"C:\Windows\system32\find.exe" "roarkaot.exe"

C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe

"C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe"

C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe

"C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\roarkaot" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1924,i,14121230345587530905,12327169903163478761,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1916 /prefetch:2

C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe

"C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\roarkaot" --field-trial-handle=2156,i,14121230345587530905,12327169903163478761,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Get-Clipboard"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 high.2i1dyj2.mongodb.net udp
US 8.8.8.8:53 ac-g911k07-shard-00-01.2i1dyj2.mongodb.net udp
US 8.8.8.8:53 ac-g911k07-shard-00-02.2i1dyj2.mongodb.net udp
US 8.8.8.8:53 ac-g911k07-shard-00-00.2i1dyj2.mongodb.net udp
BH 15.185.170.155:27017 ac-g911k07-shard-00-02.2i1dyj2.mongodb.net tcp
BH 157.241.30.188:27017 ac-g911k07-shard-00-01.2i1dyj2.mongodb.net tcp
BH 15.184.66.59:27017 ac-g911k07-shard-00-00.2i1dyj2.mongodb.net tcp
US 8.8.8.8:53 155.170.185.15.in-addr.arpa udp
US 8.8.8.8:53 188.30.241.157.in-addr.arpa udp
US 8.8.8.8:53 59.66.184.15.in-addr.arpa udp
BH 15.185.170.155:27017 ac-g911k07-shard-00-02.2i1dyj2.mongodb.net tcp
BH 15.185.170.155:27017 ac-g911k07-shard-00-02.2i1dyj2.mongodb.net tcp
BH 157.241.30.188:27017 ac-g911k07-shard-00-01.2i1dyj2.mongodb.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
BH 15.184.66.59:27017 ac-g911k07-shard-00-00.2i1dyj2.mongodb.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Programs\roarkaot\chrome_100_percent.pak

MD5 3c72d78266a90ed10dc0b0da7fdc6790
SHA1 6690eb15b179c8790e13956527ebbf3d274eef9b
SHA256 14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7
SHA512 b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\chrome_200_percent.pak

MD5 3969308aae1dc1c2105bbd25901bcd01
SHA1 a32f3c8341944da75e3eed5ef30602a98ec75b48
SHA256 20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6
SHA512 f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\ffmpeg.dll

MD5 ebf0485fbf546b010c2b10c5c8e7d5ed
SHA1 a4a546f6be93bae535aa724ce2832f428cc91f89
SHA256 46a20d91861f6e966959635dd5f1adfd7f33449dd814a9aecf207b0cd53117ba
SHA512 9e6011c0269556376907850fddac8fdf50e132434da7daf4d87be83c1b89b7aef847b25b6216686915225a82374fac6ff987f22efc01d5b1c2cc81d53d7facc9

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\libEGL.dll

MD5 4c01b3614be1f38a6d594443a547c257
SHA1 7eaa456b164613577d0965ab5a57ba2b681a6ffa
SHA256 e36da1a4228899bebe50cc5da1fcbbc590cdcb3ddee0b2a19defd99a805b6ed4
SHA512 b72fc071dc791c63978465a68c9a4904d5f1c458d302bb710e83576f20ef928d73c487248a305bb455990c2d8a6b894ee47d88bca6bc92360f286849ae1a1257

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\icudtl.dat

MD5 ffd67c1e24cb35dc109a24024b1ba7ec
SHA1 99f545bc396878c7a53e98a79017d9531af7c1f5
SHA256 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512 e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\libGLESv2.dll

MD5 9bbeb7b27646442c8bc2d202a73516d5
SHA1 a7f7a52dc45bf130581953e07ce9b9851cbce90a
SHA256 2b80817443265e7979b9a77075492e8e29be3ba775d20f646cdda391efbab21c
SHA512 f9826e43f53bb9b906b5c62ff2502d4e8dc3ff99b72420cf313a5811061cb146651cba3b8f864f34dfcfd51c6e3b39a0a640719ef94d7696bdc4fab7e9d16785

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\LICENSES.chromium.html

MD5 f017c462d59fd22271a2c5e7f38327f9
SHA1 7e1bbeea6ac2599bd0f08877aa5811d32f1aceb9
SHA256 40f314c778851106918aae749d75b2d913984327602a1bfb7ef0cc6443ff2a37
SHA512 72177281486f6ec26ccc743b43481c31470c7dd53f17b0a67ac087dded190c2e3dde5570260150c2e9650186a515740af7f81e31965c95bb762340f9ac100c07

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources.pak

MD5 7398d5aee46689f03c278c8954f68f2b
SHA1 62e10057cfb2dc53c62d088d4fde3252d1216d86
SHA256 9590361aa74c43818881e622f2e3b7992c978397f7ac269f37accb435b134fc8
SHA512 1d6ae4cadd302fd683be66016cc4aa092bfe9689b81e1a764512327983f558a7ad9a10aadb7f8e13b73949d648d0e14ea0eb7c2de2420353a46e44c6b647c652

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\snapshot_blob.bin

MD5 0406a232eb55e516dc38b4967671846a
SHA1 aade7c03b1ecc81027c98a79285687bc19276fc5
SHA256 4f944691b7066ef5653cfbf6b016488f6e5f0afd2d6bc03b90de5485514f83f5
SHA512 c608095510f88348e1e412ef573e4aeb4a7d328dec2892bada688a06baa023fcea1cc0dfbba6f6c41de303f3b6d5e1c4335a2610f3ec47a690e4f309f8782359

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\vk_swiftshader.dll

MD5 abd993f23ed3c75fb80320a10451dd66
SHA1 95b13400418512870a37a4e59ecc7dd9c467df2b
SHA256 52c64e3bd5f852f7c2628bca773bb5a270ad40f5e31bcf8429323cb9fd1bd4da
SHA512 fe98cabf2e3500d52b09f9869f3ceab6c7ed8fefb7fba56eb62a5319053ea997881112abf139f2e642210eb4b61d5a726b8dc41d4565b81faaeb5d64a00e6267

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\v8_context_snapshot.bin

MD5 3eef488e8b9d35f710634c4d404c7e1a
SHA1 971c730ccfba2db0fee379683f4e310df5c9f1df
SHA256 3a189b50da4b31b5af6cdfdb6398fa039ccac9e13898e4851b27c4d91f4dff6c
SHA512 f787b7633edf75905674c467f7c291a2b3791a8475b11e1d4fb1769ebe872c6b70d778124c22a55b96efe2ac443c82750371421ac9fe8f2cc8bb47ce0e3648d6

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\vulkan-1.dll

MD5 0b95f0a5905c4075a3fbef0ddb71e915
SHA1 72a4536da15d5d9e1617331d8e4a5c5a579c75b3
SHA256 03b808d8045ebefebf2e2847be039358f7ec1db63e1c601847b8cd304c3db448
SHA512 9e57eeaafdaf0b5516822d1ca7ef1995442a03677f856828d49ccc01ab8492245d8659eec7675822fc8610ba250e49a6f3c8569aad2a324cec83e0d6b5201187

C:\Users\Admin\AppData\Local\Programs\roarkaot\locales\af.pak

MD5 09455048c30cecbb17d6e0e95e4c01da
SHA1 6572850b07df45933ed57754f72c44895a7ef662
SHA256 e973763dcc0ffd7a5afe0a62ec9651c4c3db7fe29a23797fafc34b83512d03aa
SHA512 f59b68c213815ad81379c964abe6597b900b9fac5fe17e2cb378d015c4803f96b598ef70333d594599b3283a88a9ca9cb2475afc2590eda2ddf7b041ba2368e3

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\am.pak

MD5 1c47cbc228940f5c645f2fd77602253e
SHA1 474a5006ae9ae774b5d420c2f1fb0d0f2ff36afb
SHA256 5245154c986ca89ef53a24a4246345e3db01ebe47219f1d0772935b03e81e37b
SHA512 dd4e7c1e26759001ab1ef63f93e847e2908c78d943c7546c88e1988d96a6625f9de9e0ab8b38af4c7b07202e1a5488023cc3429075de6c9b9394307c88442673

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\bg.pak

MD5 e1322b5cdbb96d2cf4a5fa5993c2acc6
SHA1 e813a5685b1885c2788c4826a8f8659493febbf5
SHA256 39707fb80e38e9404accac5f12ff1f3745589bd80b1586e2208b27c0c8eafcc2
SHA512 2c6e766d671bc4ac772196e40b818039fc88f02eeaa59f78c78558e5e2670c1fb7fed9391684160c0af5a92acf8991533b298b5aabc3919c706f23f094f2ac15

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\cs.pak

MD5 709ed2e9426081c9e86d9abdc74b44a3
SHA1 f55fc17c8b9bc5f09a539ecb8b995c1b43fc4d25
SHA256 6597d0dadf724999741e0f24953ce9be02c8b98ecb8a382115b205edde87c160
SHA512 992ba983cb8b24bf0ff190715c5845f34b13f17227486350fc736c872ac8f0b21347f5f6d13e2e204e928ec664e283ca65b65f72d9910725f55d737b6c5fda40

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\el.pak

MD5 4009c890acb9b81928e6e1a4b593dd62
SHA1 83083e9c948ebba18fa990e230ee33fceae43cbc
SHA256 897b6fae230e6a3cd14e16eb537f96d820950f5a4537fe146a732ab028b7124d
SHA512 b4c87024d3cd612b8af6f73b31853936614f4315ba9a48b4687120dc64e1794c568c4e074e41ae6f8dedeab61484e145dc0ca3bdb95482fd85492fddc26ab6ce

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\en-US.pak

MD5 d47cded365a28d27906414035c1cb3ca
SHA1 429123c86f6ca48a89bedc9a26027e01508e6db9
SHA256 46958caf9847e33a11593ad024d5a95cc696edcd4620cf07e7b2b78c72b9c00c
SHA512 1a16d784913fead116460c9ff42e21ae482865cfe2d6ed1b1296496e46a05e513f8d048fa4d245e7a82ef61de4c4130696d5b1c647c918995f6877a888bd0853

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\en-GB.pak

MD5 ceba44242f8b24b70c9b59b5094d8da8
SHA1 84e16c522ad397289a923e5cd4b012e2d323af4e
SHA256 b0fd61679565a7649c90214efecdf6e1231a8e7895dad93452bfa1425417d5b7
SHA512 31cd936157a7408a43dcba597f6e098499dd4c5fc011ef818ce93eb7a05c9d354229c3b2295dbc290a6d3f3600373f18f75b334ba9013a5dc0be44c82f2e51bd

C:\Users\Admin\AppData\Local\Programs\roarkaot\locales\de.pak

MD5 3a9f06d1708b7620e2639851024ed0b8
SHA1 51c0d824bf38250ec0aae58e63141489931f02ec
SHA256 91da97794994f6544707299fee6b775745dc3891fc879d8e8a05844c6383eb53
SHA512 08e80783de403651af208387a3191db30d1353cc25f310c917a1133b2622e4b6809bc2bd881517678e9229e6492705c5f45be3e849c0512c4a651c5b7026c926

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\fa.pak

MD5 e5d53b9d5756871d684d018fb0c745b5
SHA1 b00a40704c91b33c2aa0f6829ae3dd886ba7177d
SHA256 8b93023af6428322b9b13aca5da9bd395a9c4775c72b758df8eb564d35d15cbd
SHA512 e722f114485cbbb5284d23f1ad1061213f40083c5da2ac9753e1416f75f7cee9d8315e6f4582322d992beb9a8cacefb607ee0b1737e3a6da775fc059a17c3fb1

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\hi.pak

MD5 e3b31e519b925414176ef2d9546c356c
SHA1 7cebb1c5fd9c78f704bb9e5c463f67c5426d0171
SHA256 82fbb97e7d9634df3c806439e144cf8d153d840bad98f6e790726841a91acd13
SHA512 fc3e735f010776cbdaba1592e6f685a1fb4773ab5062f5ba9ed95d9bcab2f0ce9ab024ed95158263450fc58c3197b84e38883262a588d6d92c4e623c61b4d200

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\he.pak

MD5 06e89cfa4c6f4bfb7aaead492c4f08f2
SHA1 39d943e0eb1637cd3f5a7b66ebcd28e76c89aaeb
SHA256 6b7937f16ae53457ac9a0c18fbac68b2076200b0fc98cb781415fdaf18c49301
SHA512 8b6d33657eda8a3f1d1bfd55135de88953d21916e72df646fec2b5f5b17e9e15849f428b0fd83143f375ada174aa953be8f07fa8ba90ca4d07dd1b859d034b4c

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\gu.pak

MD5 cd212ed25482d2b5a246440b62c4fbbf
SHA1 197f3616dec4fb308e0ec5a17458ef8a2d027cd1
SHA256 0e8762ac08963088c33b74ee790df95370bbfc298bae8abfb87eb1307ef46d37
SHA512 207d3e9a6bfbd3eb19cf53a0a300eb0172ecb872496d627ac5b55b9ea11d52f24f01393893450fefaa3c42bb481129d54e552679f2f67a2af0e117d12464601d

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\fr.pak

MD5 fe0ea306a7b48ee2750af3a263d9f3d1
SHA1 877968909cfbbe499911b4d8b807a593c4be52c7
SHA256 955de4737419c06609227c63c2fbba7c8abf497fb976c99a4dc9f5d5105afbd1
SHA512 07978311caa9be82bd398100d1d8367c5ca840ffcc166b73aeea0bc7c86b53db13bf648decfb3f54a43b9d199e0d98fcd29fdfb291a703502369b025eccdf872

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\fil.pak

MD5 a96f6f164897e62c984e9a61f6c3f7cb
SHA1 3ab2a714eb8e9b57e8a39792d152606ba0ef6a3a
SHA256 ff21df22f24c92a06f6bbda2c70b57e098d7bb6754988a5ada087aed9bc8b8af
SHA512 cd522884b66c940d64eb1377f9dd60143ae984fa7d144aa9d83b82a006b5da2ee9eabdcf046d362b2096d8a6b8486f36a10ac9f0642bb8cfb1e7903fda4c41f9

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\fi.pak

MD5 925f45e80be419aa0125096ebb81a23f
SHA1 e73a32362952dc0aea997ee408da090f1886a438
SHA256 bf20054eb68d3d67d17d2a8c594d896c9c33fbbd562535d0c7e6cf6c940a8732
SHA512 8510e2e9749b4342eb8d79bbfb983c43293f7f37d138464c96053a79685c578a148dd54013d211b02115256f174f51a74ca9155883055801bbe146053de52eb0

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\et.pak

MD5 294c830b9e6667c8d5e7287cabd6a4b6
SHA1 52f44b97b71624bee6360301e8f6f34cfa428e72
SHA256 198674c98f10c36205161e382cc31560a4bf0de5f597a0c65f7f95777dc9bb24
SHA512 ade98fa9cc25148979f325660ed3f0f649a38709ea34b759796c4e202b3c30e76da3b8c17ecf2e1948db4a5be26af23c3a6e6b28f9445ceff68d251a5645db5b

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\es.pak

MD5 070cbd6f42db1cb9b6a2f74e03d6b124
SHA1 f8830e1c8a601123d85fd75188ed01833f910691
SHA256 91de93a4dc9c9276b9ee3ae498bdafaa55fd464c1f20fdaca84c4b79842327d4
SHA512 2ebee4e289eb2a19a97c86d1abdc1ad53c6a76b8c1dc28fc89cfde236c4abfbb823bf52573cc0848fd76ed9e0ab2d49def542837bc5c474ca1593fb5ed10a390

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\es-419.pak

MD5 ae62374bc2e71d9abed6e0c1d4bfe309
SHA1 624a8210376e11814485fe90a8825bb6ca883188
SHA256 48bd8f17823ce0f0a6f1c9fda020d5b5655e2419634f92725ab263339d9a321a
SHA512 345794d617dd3aa200ca248566e9ba36dc846af9afe259545b5a61e787b1b52e112c7eb68bc025b0d2076790a4b77a82a724bc213fad9f0f38db6054332bfced

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\da.pak

MD5 96bbef1eee0b0a197ec834839c00e11c
SHA1 35adba0aafbb4d19015e11dde1f37de87292252d
SHA256 600e02877374dc083b21deb3cc3bf6a4e3e2b2c581a631955494b0591c56289c
SHA512 e1ae7ad30735b6c42f81d30d50162330603753b0ce7705506918d0bf3bf9a52ac60f8fca570cdfe87f0d6dd46cfa3064d5a1526d39d81a053571b434b1cbffe1

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ca.pak

MD5 84b1e5be23e838708773d4e022f99986
SHA1 53e411d571605a0a86a1040bff32a5e951ce9ee8
SHA256 faff0931e9479b76d2b6247739d4f934023a64bbe8578be08e2dd0eb053231f6
SHA512 8afc396b859fbd0c03d1b7604f5cd80d41fd8e3df52ab88ba22a31a6a0df447671377f2ad0f6797682da6aa32d7c779defa1097ee140af207adc94575957fca8

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\bn.pak

MD5 880e325d5643051ad7e29c2280fab954
SHA1 cc46cff349031f9036cafafd3c091d1a5ab93f2f
SHA256 2fbcb9524eba04637e3f6c2874f7fce917326ba90877e1715eae4b35f141dd3d
SHA512 d16d085bd51ad267738c649f6bbfb15b8ce5ac73b838cfb7e2ab0f4c135317c358b83a7b5d3506c492f75b97edb8d1eeee9733d12c9eca1bc51012d660b9e912

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ar.pak

MD5 513e6bea67200feef37fb2e8c7fcec36
SHA1 b0edbb5846b8ddfd95ad74905e890892192279d3
SHA256 00a9c88b644807369637ddb78d9832d7137b5f1c64ca9720a36bfccea8c38d98
SHA512 fbc184640fc419b50f6b1a78168a9efb63f8ac4c151baed17b5e9b9d333a360dce109351654ebf1c71c97471917c922456cf9c816118c6c781efdee14d8360fb

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\id.pak

MD5 a20c777901a144622f8a5520583af79b
SHA1 3506f8e07ee301bb195eb185032ebdc7fd231272
SHA256 fd44af213520242ba41f4c9003ddeedc71f923cb37e25b14e595f3e652ae18dd
SHA512 6a53bc2f5d0e4660767d21070d19f0c407fe676b9e9cbdc20e6016e333b2ad33da225bfc2833a0c0724e1b6245ca6ee3cc0e782ac955d6aebac3dc468db79a1d

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ja.pak

MD5 63cbeb056020b6ee8cfad26c7c6abb79
SHA1 99bf018555eec56aae4b19d10c85ac506f4164a7
SHA256 aad9e17b2170b76248d61a3bac9b1bebc44b94885403ec2cc21a31397bf029b4
SHA512 5aa4e764f06f0e8490dab89a8b3754cccdd41739b4654ac8e30de160cad335f681fa5dd7782482aaf66ff1d827ce0c34df85c23c334a35035a3a4e3d0f305343

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\it.pak

MD5 acfd6f4b73b87455acb703e59303db33
SHA1 70eabbca61eb365191cd1256f3be40ea9223b2d5
SHA256 cae7bd535284f5f156c1466820aae2bcc0b0c0ba378ad0f04eef3a145deed9b9
SHA512 bfd52bc383f1f5a7d559968bdd779198c81286796564499174c3b5b9bbc7112f427e8316f78fb09ebc668c5cbf94c89c37e97abb00c9b87b5c5c108028fc549d

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\hu.pak

MD5 40807c6b0eefd2a2f16cf0ac2c28ed53
SHA1 1b416b29e59ef41e1f18b168947e42b7fa969d2e
SHA256 533ae7e865898b61ecfdec68c581b3c4858f2c3ec1fe496ab02c61db0362d941
SHA512 487cf71df0f2e59ce1151c146651f567b624ac0e48f770a2f1da76b27933aa2bdc30990788e2dba4543a11b9e5d3da6f31badb26d7f3a5c87088c5b4e1bd7756

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\hr.pak

MD5 92e6ef5db4c0191282ce2dd3645461ea
SHA1 045d3ed58a625516af741c9e2f85680fc1561ed4
SHA256 f8d6694f1c05ca259a31e0427ba7cef5b57f0c4b33493fda21003911a5da6f07
SHA512 08b09857f173ef2a3067d60120167223b4ec7414ff6117d206bb12213ce9563c8d7923fc0ce6e7df0ea5d8ae2b3ded2a23993ab43bc46bea3c08df1bf59e16ea

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ro.pak

MD5 5d5a27c52ae905fd85f5d50cb793e7ca
SHA1 b858bba1ef66c4d3943be19a4bf8a508c23e6671
SHA256 9ff47f6890b3f543bc51015f263e791d8a3bc332098f8cd8199852fa131fa579
SHA512 f4754951ff0dd3f1ec2c0859a93422330145f9e4e3407bb7f95863c85227b96d3f8af449c0a051b60f333df3695eea5df70fd5f7fe4916e60eb6f7c4c21aa5e2

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\zh-TW.pak

MD5 9c51b828271263d574382077abd2e2f3
SHA1 4de07caed06477855e4f4bba1d0d1178c5757171
SHA256 21550464b12c7f9b23380acf7ca2b42c1b578581613c342196da95908f14c8af
SHA512 0e6921dbc4be8d5d98bf80e9b0f8c7fc31cb4e7553ca76b9c697a3f1428f855e59ee0dee99903a5215dddee9375532226af81128f066656d98db28a8d9738604

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\zh-CN.pak

MD5 5356bf9ddeb7ffad20e27ef092dac528
SHA1 3514ded7211ff71297c87275ef0805588da2d47d
SHA256 0b6f0a9ded5734b260c1c02d7c717305d139bded5ec7ea80de40b641f13bfe0a
SHA512 887be5ed95b40d73e0f61f4b3e85f8a77d4bf4a222197b9d1c60711ae8481efbf9c183ba902dcbf437fdf70381bd232fe9c27cf0ce87c0f45b283b75b6d19962

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\vi.pak

MD5 e6db9a8c61dc84aff75efc00b486a8d1
SHA1 6d1f0329f9a44b64fa3474313c7bf207bfd78557
SHA256 8ff2d05730915c1b15a97a3915c03d83239c34771ed661ccac745fb308901f14
SHA512 89cf188b5d21528166353b29986f5afb9aad9a51a57864951f7945124b157e0129125caeed58c70568e38f7ba3a34a17d10056902b58ba48ee2e4e10a4649f75

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ur.pak

MD5 157117641502b63c89110363dc7083b2
SHA1 fc86039a03b2e48fafc70e1cadc096fd46389af2
SHA256 fb7cd2f4beeceaf445f4d299a3db26cce49a7950a37e5a9b48fae7f5a8e09f99
SHA512 422d92c5f0b2b2f9f35dbb7c11cd1b463085201912948c61222bb4f43f8dfd777fce678f04371df53ab6d07ec14cfbc9e4b1b084a72a0f2aa80ca7a4728e6359

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\uk.pak

MD5 7e2cbb9d3591278a76dd08364d3dad4d
SHA1 a760a029070bfe57d4ef273b705650cef0a92f61
SHA256 38616b5f7f939a84d5205e758a8d3fed024a8e3fbcc8159c90666ce650ae1d30
SHA512 81e5ebada5990d79363e2583efdd3ccb19d8a10291cf6680d77d7c399816fe273a4fea5a7cb5e55e11f445df46a7ccad2942dc04f4fb8b6f66d2f2b151374de2

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\th.pak

MD5 77721a07831a7aef49934706398559cc
SHA1 240ac6e472ac7312f02b99a8d588813d3dfeb468
SHA256 e8cdabe4557192a6ad7040de396d807f96f50d6ef256dd04972211b9c898bc1d
SHA512 f73be17166c7a94c216d13d837146c3c72a5e205688479ce8199c8cf468eb1bf780f2569d42e908684f0059e6ded370428d9b123389ad2cf1553a0aecd1ef06f

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\te.pak

MD5 f0a8ccf00882e83751fd666876c937bd
SHA1 6fd5045a20bdb912f61dd38f4d046b333bfb03c9
SHA256 65ce3f1fe059a8d8b67cd47485233c6ab3870cfbb313241fe0f24e948bb0f158
SHA512 8ea9f2215ac8354378aff1717ef6f1ba97ba8bcc1c660290d8a070c9a7cb9b0e1a87b8e37e68cd71d7bd429adba8b17c6cda68508b7389e42841fbe2f9c79528

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ta.pak

MD5 22949a4acb6639bc4fea591bde3f6cec
SHA1 672163723e294a5242e9654470e1efbb3e8aa0a4
SHA256 84776412fd7f2cff26713781be937bdb30352f9c7eb297ca811241e6cf4284d3
SHA512 5e3ee2d29eabfc4398b0f9784064eb03b3c3e13c59f4fb1b857c612727eebe1a4a1bcd76503b1356cf4b4d407431a643503d9068f61f1ed05041f3aad325262e

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sw.pak

MD5 912db9e797ea3e277f18e72173f26ad5
SHA1 a83461503becad16ea0d33fd5501603688a65ed5
SHA256 89d1245c645cc26d67ac0f556734ebeb99b436cf19edd3cb3b220e78a87796e0
SHA512 b5c334b528ba6d26dde9b4b1100c01bd1675cfcc7167a9bab4d9fb95584ae629e9567ab3a4729776fbee22ca927d42e04fa016cf3f9fe510edfdc340309110ca

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sv.pak

MD5 b75471d16a5b4cfbb43ea86d3077e63a
SHA1 302958743c97218d13a72ade3a22e4181922531f
SHA256 ec0f43dae8e52169396f289dfeb5d49b7f9258bafb0ed3060dd652fa744e5264
SHA512 63556f738df1527ad96cca95f3e37934b054df83cfacd4e120745ceeb0536d4bc1919c66acff3e5253a62824c032ae7e8f9496df13b9ccb6fe00f67920a63cb1

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sr.pak

MD5 5c811e0c9b775886bc11b46703cb67a0
SHA1 e9a777cc72263c7e7c4bfaa36e41b29e405a2a18
SHA256 4c524e149c02c37034ec92dd90f20f463413f2650ac9f32d52ef7260f9a34f1b
SHA512 d7db44fbfff3e3204b92aff44dc02c184344853d85fd79cd962bcad8efe85a13d1aaf9ed69a6e81fcc6e690afa4b1ba7cf1764225916f398c0f960d56e5bc57c

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sl.pak

MD5 48ead6e0160cbc6cbacb247cd3643110
SHA1 b39a91bb90f26c74dbc9fa28b257b705b54f2b81
SHA256 fc4cc46ff82cb8a41181e825a3d4e4508753fb68ff01a60486b7df4a4e11e89b
SHA512 c037d352d315805a18796a121e47c73d37d68e735c9334e11b393235ae75b803cbc03cf7cf8480683bc68c9b98fba9f5a7b045b650598e5d9367ab58a24e75f1

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sk.pak

MD5 b7d16d6702d4b4b5d3a9e4c3e0e13eb2
SHA1 6b2f1591ec51c4a7cf1435fbec7b5af94e0b5d4b
SHA256 e93580dffc1715edb37965c5787048e3e282d0477f277668ca7f49cfda7142c0
SHA512 a09950a9bb3f9814d946857e32901a9b6d73b4862a85f00b7f1f035ce0cab5af4ebf3aa003731ffa8ccea88d71866ec01d9ce578fc0b13b3cfdd3df332a0c40c

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ru.pak

MD5 4ec91cdba9839e214ef7c008775e9e6e
SHA1 ea9f0f22ee1bca09ac38c01300cc91e2fc8aee51
SHA256 64f069a34be4966a9c28361e1c4914ce23bf96faa3bb5533fc3d233bfeac5cc1
SHA512 8c49ca910bfff175a4d88778ea34437a5acb0d52e349160f31091bd33d8ed76524950fe3e0f508c243ed76b289a550291ec68a7e0c1c426a64fbff0579c94d14

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\tr.pak

MD5 41bc209ee64f56f04836fca3e2de362d
SHA1 c019805b555d4c24c347112a583ac9f9bf2ef142
SHA256 71356710c485d7db228a866789ce9d253276725d94a4e4622e7b82037beb9825
SHA512 a65c4f9147c5796567e61b0661b4766c199f156541a252ec442fe5b5e3e1156c80e8fc7cfb6d9e55db4c5f60732b55cfa74a65e7dc46fbd5a4e5dfc8f3891add

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\pt-PT.pak

MD5 fbff8ba7e31acc6c26c0e4b7277cbbd0
SHA1 b9acdcbe2f0f429474acc4dd883d668cde9d3165
SHA256 477d6666bed083b27335a479c71279ad41a674f7b6a412ada1bba18be542ddc7
SHA512 ffdbb2773f18038f5d4cf145f3311feae25110ceb8efd9c895267f98acef7e901dd7d843f7c5291cd333fc81b80da301d0c92e5c0d6857da7e4eb68a5a0c540b

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\pt-BR.pak

MD5 0711b3f59ac95761899b013b3b242c93
SHA1 73fe7a4f60a6b92a966f1177c71bf85c6f95004f
SHA256 be445bfcd9429570e5006063b1c8299a41e762e8e0c2b63551bcf16cb6fb868b
SHA512 aad5ff84d1833db418a46961a5e3abd040e19e5a87bd6763039f8db7dda19c3cd9d7ea862585080636c2888ab1a50f2ba579cbc0ca0df8135537f1cc7543882b

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\pl.pak

MD5 4003c253ef85ec0ff8a65204955994b0
SHA1 af3074fb622445f6429899cb33a33bbcc60e5e5a
SHA256 4db10dace60cc56b610a7f92caebf4e7e98ddcaf8dac4f5a87db8f750f51ef8e
SHA512 5624c8f6268c8a8dbf1a69a032ebb89e670685cb736a3cb42a65e2dca118a85e076818b58ba2e392991eff7921495167616107f402c841a8456b5b5888b70ca1

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\nl.pak

MD5 d7048d029ab3ff807dff790113328574
SHA1 07872f608062aa482532edda0dd2e1de31669380
SHA256 0e9c114529b9ec20118bb96ffeea05d1a408e4eb621e3fc65f49353195d1af96
SHA512 050b0eacf5b4da024d1a2af54f3511c4671756b0dab3f961d8acee5d1695eb29fba7768246dd5b3bcc253136df97e49a305832c37943380dc337776cb1fb1549

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\nb.pak

MD5 cf18f58e8e4e37b2e5fa7ef8269a294f
SHA1 c60d6e84f5cfe4cadbf4efed9b5998307b20fb9f
SHA256 3f1ed8ff0207c678b6a0a98e82fefd6340e35b7d16689672dfa90d9ee63921c6
SHA512 8f336fc50943d693ee80475250d2dbfc1401c615da571115f2c02551959028125b91ea6ffe22171dd12241688703e1869402146ef4e85a46059fe022759da953

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar

MD5 3b2869f88147288c90b1155d46f2d04d
SHA1 faa43a7df73900a5149170693719713f702f24f3
SHA256 8c800406762bcfc40932a5f55c99f5cf90af8eadf09283c06059c1c68552d9e8
SHA512 7b8b405342b10b5989966b40de5098a67a90f2380c37d457793ebedf677a27ef1bd5789446e9f695dbe6500ae7794791d4a9c144b7488ae32d9f635e0a1096f1

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ms.pak

MD5 06f24bba6fa8e9a009b3062227d4c259
SHA1 f50b0da2a86a138d16022f5642d96ff1a3ce7568
SHA256 cdfcbd86ddf584621bb2966c2d43f18096f974edb795cac0d1db43a60f3bc24c
SHA512 02239741f103c8b63072abab475ac313cb48612cac36890b7946fd816028fcba9be7ecc17ba5b934016d8817c52855ef208bffe5191d0eed35aa5243527e2150

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\mr.pak

MD5 af7c7d72a968e1936f26a3c755157f6b
SHA1 2ec71950847f5fb4b85697b6acd05224c28bb092
SHA256 e5702b9578435abbbcc922f1d4ff8c5a345856926c2174c329e228987c3ac7d5
SHA512 d265eeee96adafc3ced76901c9263bc1cb349caf925a02d5deb010c02843fb653a17e1e8a4e942c9912f654316c4a7a1776e6a7eda56ab82ae9d4d077a58a929

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\versions.json

MD5 71b6f79d28fe95b4e63bbc509ef50f42
SHA1 c44a2b2fd2ccacfead347a4f47bc150356118979
SHA256 2c9ea5e852f8339c7ba4c6577cf6216a29d9c45f7c7ebe46bc0eb4f9750574f9
SHA512 6bb14d063fe0ad6e2419b07f8852dca298db6c253b701c8995506b16ff946ba6ce7d136ce7744b92d544169488ec3a3ed110d2347c0c82e2413f7ec222b38af0

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\package.json

MD5 8a6d6bc233909ba6af13ac6a3ff3a0cc
SHA1 aa13757b831c934f625f8858dc4dd643a08c67ff
SHA256 778a81af264b8dd8cc2c593016d07d88da00acf6468732c8b4b55abbfb8e682b
SHA512 8dd5471acac5921d9e08b2b937fe1bb09ef49f0a885ea3ff7369127476bf04065a977e2fbe7a26e52fb0ac87eaed4268e782fb6a3aa393200de519c9257c446c

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\LICENSE

MD5 19cbd64715b51267a47bf3750cc6a8a5
SHA1 172ca3bbafe312a1cf09cfff26953db2f425c28e
SHA256 73ba74dfaa520b49a401b5d21459a8523a146f3b7518a833eea5efa85130bf68
SHA512 f32944d2f94b018f42e0138eb9a1b7df3145beb1c7215e3c0e091bb07a083e3c23c379d47881da00a51e244d9c3708119aefd1658c988c1487923c7ba932c246

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ml.pak

MD5 265d7fbee9a021895d51209dc0181f90
SHA1 30e37013971bacd3ee93ad2fca01cb59a26d6a87
SHA256 682463d4a0221711e565ecf409893536d727650efd2ed0563c722cceab66b1ad
SHA512 028e1ad499b20ff7cda822b91f9b8d1cbb1efe108b7236d817b73a6f8e518b5f4a8ae77d653ae5c9d799842eaee3915250ef56f634f847fc5fc8a3b36eea176c

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\lv.pak

MD5 df9985ecfc958f343ab7e56e71149d71
SHA1 fc0d2c4a194d500a1f4cfafcd9102186016ba5a3
SHA256 7e17246e23ca2d0241d56d91b5d5e6bfb3ff4e08f1a3734f9d032b4191282fa2
SHA512 0dd65eed7a5bccee0ac5e2826f0cceed848dff0d0d41904e00d35cec9d96fc0b91a4eb54fbcf0bbba61f89848562a606f9f7aa827cb180abe7e97a2e77a29309

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\lt.pak

MD5 b02bf54687716b5d5f18aee02411a980
SHA1 4cf766077382c49fb89d59d861de0f482f989798
SHA256 0b0e3fcb82ddca52f9eb1ff9e1ee224639ff81f1c0af6ded4e21944811babc0b
SHA512 aea879ac96a5719e8988011a7b82726bf51a24e170e260182146191f43914cd50991928d2283277d173ad650f7cfb1246fad9445260e9ca0769052079d431f25

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ko.pak

MD5 626e172ad9b55ba0a1e2802ce5e10d0d
SHA1 ecd855a47448609e8e9d7bdd80f92edd494ca77c
SHA256 7111342770c33aaaffdd6fd9ef15095a6d89e48d2468c19172c0eb9b6f26ebdf
SHA512 d42594259929e35b763e71cb7022d34a11bf75a4b9bb058e251cbbe8e80bccdfb284eed1c6367f98e3023134c24d50542c64673d80e29230fdd057de70a10d5c

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\kn.pak

MD5 f4c1e83eabd580c0b4c63b2dc510ce6a
SHA1 fc1d9fed0f073504b022606e424e7cc9796648b2
SHA256 79fd72e764a1d8ad623892e563e174463f29d6ce61a2ae29af102d71da4b8e25
SHA512 927e6ff4c7d1c28c89afdf44c62643740a94b01e9f6e927e543834c833e1b4abf97de1489c6717f9054243c180474fc695a70c4ea8852d95c690f38c785705e1

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll

MD5 86bf2c651e8cd92b2fe72717c1603a5d
SHA1 f4986ed8279083237906307346596833eac1e713
SHA256 f7b1d8dc48b836ce4a2bd1d50321625bd920245bf0fa4344db885fd45388f7b2
SHA512 38ca4fc5bbbebab6cc8c065db2c799a948887291f84283c5fe094a2e72d39c37cda23a866110969b7e4b5351e7f64c258ee9b8ed7d1ba9660ecdce00654a4644

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json

MD5 f9560f0fb25f1dc014682359373146c4
SHA1 b19c6321292cc63d26a18bef5d80787c5e57e746
SHA256 b145c00c63dde4da0eb3736b0d25fe79fa252a02daa9c3fdbb2d3a5783e98cf6
SHA512 dd51dcca43554f27b2718f87661cdfc86e6a51b36c15574870d793fa358f76816423c0ebcef34dd9a7fd7ce42e6be18f834100a327cdb3e6eb8dbd9d65792262

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi

MD5 92c4c5168a6a883f2a69ea4a1a37b7b5
SHA1 6dedc03d603631c1f70c626f5ef9d8ee6f342efa
SHA256 7b557c097c162c9ba04985ab822f92a176bf848c34ca38e54f061057ad0d8bd0
SHA512 904e605fe5bf1134031edcadc91ed55bf72d7fb1c862f99f25a672d29fdb34af22d4114cae389a853d703bc35bfc2c8429f86608fed5eec897c115ac3dea8de5

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE

MD5 79558839a9db3e807e4ae6f8cd100c1c
SHA1 ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2
SHA256 7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c
SHA512 b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.node

MD5 1b516fab2c5e25b0bf6bf3bf3a885525
SHA1 3c1bd2ddfaad46775ee6df5ff07badbc510d1c10
SHA256 fe184de118aa33421af89c43c93131a3a80027413e98b466ca56cb773c617e92
SHA512 dd5977b073dc3c6f05c7ef2506b7f4dac2410a1c729e4b7b42c4c5c31b1fa3776d2a1592139966c63424ef33ca685e50400617775a162277a9407b8ed97521f2

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll

MD5 387b5dbed94e434a6723e38203a7d2c3
SHA1 afdc7eb5d080e2752dc63bbd3f92d056579a2827
SHA256 92076cb17f3b11bb864dd103b4d8f5fb7580fc63c13a417b58f51dfa50ac7751
SHA512 241a92d2be10668dd7e50945f2852a75e2fd51131604996c4567b316ed9bf0d77af6e3cacdaae40bd0c9c7dc61b5d8d5e7cd7f2aecd507c4a9fd2fa19973832f

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

MD5 f0a82a6a6043bf87899114337c67df6c
SHA1 a906c146eb0a359742ff85c1d96a095bd0dd95fd
SHA256 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
SHA512 d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3410100.tar.gz

MD5 c6d5034cf39232299ccfdf8e3ddc5781
SHA1 e77599a2df4c5b114c942ddba4483550d8982bf2
SHA256 4dadfbeab9f8e16c695d4fbbc51c16b2f77fb97ff4c1c3d139919dfc038c9e33
SHA512 6e6dafc35b8b11df3cd3bea48aaf84a102893242cffbe18eb7b111791563095111a2a8a5632636b8f46523d98d16e2b48dab79ee6707a141b22c2e6fde3002a2

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp

MD5 0e4d1d898d697ec33a9ad8a27f0483bf
SHA1 1505f707a17f35723cd268744c189d8df47bb3a3
SHA256 8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
SHA512 c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js

MD5 ff6a0462767c6bf185a566f4aef65ba5
SHA1 7a3c3ee6748d00fac6e51e366518bb48a41794bb
SHA256 049b7b1b10417274be6c3e6a9518ac364729354435298d70abf834c35e8f3bf3
SHA512 088d706f5a18323128547b0f126564fb7fa7a36dc8365ee8287663b2cb63da2d02a991bc5cda19af24da2aa063357c25f21347835f9a8aaef341b33bd21127df

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js

MD5 275019a4199a84cfd18abd0f1ae497aa
SHA1 8601683f9b6206e525e4a087a7cca40d07828fd8
SHA256 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
SHA512 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js

MD5 e5c2de3c74bc66d4906bb34591859a5f
SHA1 37ec527d9798d43898108080506126b4146334e7
SHA256 d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
SHA512 e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h

MD5 f023c6c0baf0411cb6eef0a7b2baad13
SHA1 748b78bf3ed5adc11e83f705033d8338d7eef2b5
SHA256 8c5bcd084dddab2f2994b6cddc9b69a8f78a1034588b765e7bd859f27868fe43
SHA512 08648cb37c0284799bb98fa2eb1abb508c8b992b43425203839e1e7f4092b7d2d7c83f6419417281ae278d3d61ade0b65959cf12f0c449a9688ee97749593dad

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h

MD5 283f3987e0e65dca1b029bdbb625ccc2
SHA1 285d7995459c11a47e13834ae3ec0167eacf7d01
SHA256 d3956cdbb650e1ecff8c94fe4e8645f80e10088156d409703c19f186a9c41aa8
SHA512 ff5c21bd53bf75b33a5430d1abdc8a8649af1535ec02aa5fceb91ed1189e44f0818e25556946d3ad8032b077fa30e73503464aff219b42cbace1ea3f97acb605

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h

MD5 7fcbaffdc03bb5164fbb27f8552dcf5d
SHA1 590e3430c1dfa30f241d56ea01f364d5b9e7e991
SHA256 b6e86bf43d74c8ee2c2f57eb1947be6ce5d8c258c4866609571ed6c97b58b53c
SHA512 e44d4850651e0e070d3f686db3d3797632121e32dc65b869739c0b45cfa13c055fc42d650f04c41915264b8772fcfeb2a38148b9fbe21a001af5a455854336b5

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h

MD5 592ca8ac280135c059c9ed651ac738c3
SHA1 ac8e8b5e835ea2810a443df2a57f3bdc3c60b2c6
SHA256 8d1afb5d27eab8302de08aca87eb6edc1b99ae963a854d3bd652a4fc61cbe3c6
SHA512 b4e317200e3cab4dfac93e684150d21f7dd89a656f8a9f576b9cfb22090e8db6c458008a4a1406121fabdac034cfb80200a740d0caf6ec63fbf71ad2fde41029

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h

MD5 55a9165c6720727b6ec6cb815b026deb
SHA1 e737e117bdefa5838834f342d2c51e8009011008
SHA256 9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
SHA512 79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h

MD5 f2a075d3101c2bf109d94f8c65b4ecb5
SHA1 d48294aec0b7aeb03cf5d56a9912e704b9e90bf6
SHA256 e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
SHA512 d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h

MD5 13d7bf3557e57ef3036bad68cfa8faae
SHA1 94c1af952f38e9f1ad2d722ec3a063fbe666e66b
SHA256 2c99d9cef21876db64b610dd9baba8de1f7c94028d6d1c463eb3db213745b3bf
SHA512 63e4543833d602b0c6ad9c21438e61782c252a5e30b776a9c942e1ecc34c1a7c471a39195caa20aefb072add66c83d99af902d620857d18ddad196f4f207a161

C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\e63441cd-52f5-4eec-9ba7-c57ab035553c.tmp.node

MD5 53b6a7be03e007f075621a6369eb4c37
SHA1 36028d914196e852623cfe9f133c75483ce65897
SHA256 06980ae4b6f32420f58eca7737c27532b345b058eb6aa8579acc3fcbe46fceec
SHA512 37f39c7dd0f591c0d2e2e0b924e64f3bdc7d56367e4c2a3cb37e688e57c9337eb9036bea3af2a0e40f685c5931d589bfcebeae23fb39707a8d2781d30ad9977e

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2o43sky.u2b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2776-974-0x000002B14F560000-0x000002B14F582000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8740e7db6a0d290c198447b1f16d5281
SHA1 ab54460bb918f4af8a651317c8b53a8f6bfb70cd
SHA256 f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5
SHA512 d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca1082427d7b2cd417d7c0b7fd95e4e
SHA1 b0482ff5b58ffff4f5242d77330b064190f269d3
SHA256 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512 bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240729-en

Max time kernel

13s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 220

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

53s

Max time network

60s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1704 -ip 1704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240903-en

Max time kernel

9s

Max time network

18s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

76s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-13 11:29

Reported

2024-11-13 11:32

Platform

win7-20240903-en

Max time kernel

13s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2544 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2544 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2544 -s 156

Network

N/A

Files

N/A