Analysis Overview
SHA256
cdffceb70876f6dea25c9c0c64798922d6afce1a9425e71bb0388e604a5f69aa
Threat Level: Shows suspicious behavior
The file roarkaot Setup 1.0.0.exe.a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Clipboard Data
Executes dropped EXE
Checks installed software on the system
Enumerates processes with tasklist
Enumerates physical storage devices
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 11:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
34s
Max time network
38s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4628 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4628 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4628 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3104 -ip 3104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
72s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9639546f8,0x7ff963954708,0x7ff963954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16211666171334539850,12552843468919528308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 443a627d539ca4eab732bad0cbe7332b |
| SHA1 | 86b18b906a1acd2a22f4b2c78ac3564c394a9569 |
| SHA256 | 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9 |
| SHA512 | 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d |
\??\pipe\LOCAL\crashpad_5008_DJZSBJYGAODHQVNP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 99afa4934d1e3c56bbce114b356e8a99 |
| SHA1 | 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581 |
| SHA256 | 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8 |
| SHA512 | 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0916ebc5b21bee0363dc2e794d84216e |
| SHA1 | 8212b6f1baadc087d59c55920af70686ffcf9716 |
| SHA256 | a982c1f38fe86670fe7a61ad3f2e2a276f851b8f3aaa4ee03845b92c62e520c5 |
| SHA512 | 5cba9207aac733fc5117dc71813c8a47103ba545ba5fb4d3120c37a049ef340ecf5be418a84768c8177c5581d9b520b39720150585cee07ebc1dcab2b2f08be6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\093585f9-b960-4bbd-950c-3af4014db21b.tmp
| MD5 | fe2c16773a626f874171692f8d7e4254 |
| SHA1 | 9aefb475efdec878fdff7f54a10a7761192cad73 |
| SHA256 | 01bb19dd6276b969dc586396187e0b04c87e96645c489148d40c8aa7f96313f3 |
| SHA512 | 20c9dfcd934332c8d5370d5aa07e12b9a4c50f0a60cc7d9c0bb1d505349726bfb09738c0e632267952bd2cb5060bde19273ba65fdd6996e486289ec5f27de9e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 50371c0d8a0223f3f4412ffc527cc296 |
| SHA1 | 5e89d65016ab4d0c6a7551d64c141ed2d54e3831 |
| SHA256 | 8a5a5fde86cab5e381dc2936478765b79de576023830184cc1152067e84d00cb |
| SHA512 | 60d6248bdf82d5d8e04a10860773bd35aaabd602f2c50fa802e88175f9fcf83f8d725cceee398d2d92cd4990b1c9ad5dea499eb6ac0f48d531ab1625a375b79f |
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240903-en
Max time kernel
9s
Max time network
18s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll,#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
debian9-mipsbe-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/sqlite-autoconf-3410100/Makefile.fallback
[/tmp/sqlite-autoconf-3410100/Makefile.fallback]
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240729-en
Max time kernel
14s
Max time network
17s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq roarkaot.exe" /FO csv | "C:\Windows\system32\find.exe" "roarkaot.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq roarkaot.exe" /FO csv
C:\Windows\SysWOW64\find.exe
"C:\Windows\system32\find.exe" "roarkaot.exe"
C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
"C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\SpiderBanner.dll
| MD5 | 17309e33b596ba3a5693b4d3e85cf8d7 |
| SHA1 | 7d361836cf53df42021c7f2b148aec9458818c01 |
| SHA256 | 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93 |
| SHA512 | 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298 |
\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\chrome_100_percent.pak
| MD5 | 3c72d78266a90ed10dc0b0da7fdc6790 |
| SHA1 | 6690eb15b179c8790e13956527ebbf3d274eef9b |
| SHA256 | 14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7 |
| SHA512 | b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\chrome_200_percent.pak
| MD5 | 3969308aae1dc1c2105bbd25901bcd01 |
| SHA1 | a32f3c8341944da75e3eed5ef30602a98ec75b48 |
| SHA256 | 20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6 |
| SHA512 | f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\d3dcompiler_47.dll
| MD5 | a7b7470c347f84365ffe1b2072b4f95c |
| SHA1 | 57a96f6fb326ba65b7f7016242132b3f9464c7a3 |
| SHA256 | af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a |
| SHA512 | 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\ffmpeg.dll
| MD5 | ebf0485fbf546b010c2b10c5c8e7d5ed |
| SHA1 | a4a546f6be93bae535aa724ce2832f428cc91f89 |
| SHA256 | 46a20d91861f6e966959635dd5f1adfd7f33449dd814a9aecf207b0cd53117ba |
| SHA512 | 9e6011c0269556376907850fddac8fdf50e132434da7daf4d87be83c1b89b7aef847b25b6216686915225a82374fac6ff987f22efc01d5b1c2cc81d53d7facc9 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\libEGL.dll
| MD5 | 4c01b3614be1f38a6d594443a547c257 |
| SHA1 | 7eaa456b164613577d0965ab5a57ba2b681a6ffa |
| SHA256 | e36da1a4228899bebe50cc5da1fcbbc590cdcb3ddee0b2a19defd99a805b6ed4 |
| SHA512 | b72fc071dc791c63978465a68c9a4904d5f1c458d302bb710e83576f20ef928d73c487248a305bb455990c2d8a6b894ee47d88bca6bc92360f286849ae1a1257 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\icudtl.dat
| MD5 | ffd67c1e24cb35dc109a24024b1ba7ec |
| SHA1 | 99f545bc396878c7a53e98a79017d9531af7c1f5 |
| SHA256 | 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92 |
| SHA512 | e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\libGLESv2.dll
| MD5 | 9bbeb7b27646442c8bc2d202a73516d5 |
| SHA1 | a7f7a52dc45bf130581953e07ce9b9851cbce90a |
| SHA256 | 2b80817443265e7979b9a77075492e8e29be3ba775d20f646cdda391efbab21c |
| SHA512 | f9826e43f53bb9b906b5c62ff2502d4e8dc3ff99b72420cf313a5811061cb146651cba3b8f864f34dfcfd51c6e3b39a0a640719ef94d7696bdc4fab7e9d16785 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\LICENSES.chromium.html
| MD5 | f017c462d59fd22271a2c5e7f38327f9 |
| SHA1 | 7e1bbeea6ac2599bd0f08877aa5811d32f1aceb9 |
| SHA256 | 40f314c778851106918aae749d75b2d913984327602a1bfb7ef0cc6443ff2a37 |
| SHA512 | 72177281486f6ec26ccc743b43481c31470c7dd53f17b0a67ac087dded190c2e3dde5570260150c2e9650186a515740af7f81e31965c95bb762340f9ac100c07 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources.pak
| MD5 | 7398d5aee46689f03c278c8954f68f2b |
| SHA1 | 62e10057cfb2dc53c62d088d4fde3252d1216d86 |
| SHA256 | 9590361aa74c43818881e622f2e3b7992c978397f7ac269f37accb435b134fc8 |
| SHA512 | 1d6ae4cadd302fd683be66016cc4aa092bfe9689b81e1a764512327983f558a7ad9a10aadb7f8e13b73949d648d0e14ea0eb7c2de2420353a46e44c6b647c652 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\snapshot_blob.bin
| MD5 | 0406a232eb55e516dc38b4967671846a |
| SHA1 | aade7c03b1ecc81027c98a79285687bc19276fc5 |
| SHA256 | 4f944691b7066ef5653cfbf6b016488f6e5f0afd2d6bc03b90de5485514f83f5 |
| SHA512 | c608095510f88348e1e412ef573e4aeb4a7d328dec2892bada688a06baa023fcea1cc0dfbba6f6c41de303f3b6d5e1c4335a2610f3ec47a690e4f309f8782359 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 3eef488e8b9d35f710634c4d404c7e1a |
| SHA1 | 971c730ccfba2db0fee379683f4e310df5c9f1df |
| SHA256 | 3a189b50da4b31b5af6cdfdb6398fa039ccac9e13898e4851b27c4d91f4dff6c |
| SHA512 | f787b7633edf75905674c467f7c291a2b3791a8475b11e1d4fb1769ebe872c6b70d778124c22a55b96efe2ac443c82750371421ac9fe8f2cc8bb47ce0e3648d6 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\vk_swiftshader.dll
| MD5 | abd993f23ed3c75fb80320a10451dd66 |
| SHA1 | 95b13400418512870a37a4e59ecc7dd9c467df2b |
| SHA256 | 52c64e3bd5f852f7c2628bca773bb5a270ad40f5e31bcf8429323cb9fd1bd4da |
| SHA512 | fe98cabf2e3500d52b09f9869f3ceab6c7ed8fefb7fba56eb62a5319053ea997881112abf139f2e642210eb4b61d5a726b8dc41d4565b81faaeb5d64a00e6267 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\vulkan-1.dll
| MD5 | 0b95f0a5905c4075a3fbef0ddb71e915 |
| SHA1 | 72a4536da15d5d9e1617331d8e4a5c5a579c75b3 |
| SHA256 | 03b808d8045ebefebf2e2847be039358f7ec1db63e1c601847b8cd304c3db448 |
| SHA512 | 9e57eeaafdaf0b5516822d1ca7ef1995442a03677f856828d49ccc01ab8492245d8659eec7675822fc8610ba250e49a6f3c8569aad2a324cec83e0d6b5201187 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\bg.pak
| MD5 | e1322b5cdbb96d2cf4a5fa5993c2acc6 |
| SHA1 | e813a5685b1885c2788c4826a8f8659493febbf5 |
| SHA256 | 39707fb80e38e9404accac5f12ff1f3745589bd80b1586e2208b27c0c8eafcc2 |
| SHA512 | 2c6e766d671bc4ac772196e40b818039fc88f02eeaa59f78c78558e5e2670c1fb7fed9391684160c0af5a92acf8991533b298b5aabc3919c706f23f094f2ac15 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ar.pak
| MD5 | 513e6bea67200feef37fb2e8c7fcec36 |
| SHA1 | b0edbb5846b8ddfd95ad74905e890892192279d3 |
| SHA256 | 00a9c88b644807369637ddb78d9832d7137b5f1c64ca9720a36bfccea8c38d98 |
| SHA512 | fbc184640fc419b50f6b1a78168a9efb63f8ac4c151baed17b5e9b9d333a360dce109351654ebf1c71c97471917c922456cf9c816118c6c781efdee14d8360fb |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\am.pak
| MD5 | 1c47cbc228940f5c645f2fd77602253e |
| SHA1 | 474a5006ae9ae774b5d420c2f1fb0d0f2ff36afb |
| SHA256 | 5245154c986ca89ef53a24a4246345e3db01ebe47219f1d0772935b03e81e37b |
| SHA512 | dd4e7c1e26759001ab1ef63f93e847e2908c78d943c7546c88e1988d96a6625f9de9e0ab8b38af4c7b07202e1a5488023cc3429075de6c9b9394307c88442673 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\af.pak
| MD5 | 09455048c30cecbb17d6e0e95e4c01da |
| SHA1 | 6572850b07df45933ed57754f72c44895a7ef662 |
| SHA256 | e973763dcc0ffd7a5afe0a62ec9651c4c3db7fe29a23797fafc34b83512d03aa |
| SHA512 | f59b68c213815ad81379c964abe6597b900b9fac5fe17e2cb378d015c4803f96b598ef70333d594599b3283a88a9ca9cb2475afc2590eda2ddf7b041ba2368e3 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\bn.pak
| MD5 | 880e325d5643051ad7e29c2280fab954 |
| SHA1 | cc46cff349031f9036cafafd3c091d1a5ab93f2f |
| SHA256 | 2fbcb9524eba04637e3f6c2874f7fce917326ba90877e1715eae4b35f141dd3d |
| SHA512 | d16d085bd51ad267738c649f6bbfb15b8ce5ac73b838cfb7e2ab0f4c135317c358b83a7b5d3506c492f75b97edb8d1eeee9733d12c9eca1bc51012d660b9e912 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ca.pak
| MD5 | 84b1e5be23e838708773d4e022f99986 |
| SHA1 | 53e411d571605a0a86a1040bff32a5e951ce9ee8 |
| SHA256 | faff0931e9479b76d2b6247739d4f934023a64bbe8578be08e2dd0eb053231f6 |
| SHA512 | 8afc396b859fbd0c03d1b7604f5cd80d41fd8e3df52ab88ba22a31a6a0df447671377f2ad0f6797682da6aa32d7c779defa1097ee140af207adc94575957fca8 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\cs.pak
| MD5 | 709ed2e9426081c9e86d9abdc74b44a3 |
| SHA1 | f55fc17c8b9bc5f09a539ecb8b995c1b43fc4d25 |
| SHA256 | 6597d0dadf724999741e0f24953ce9be02c8b98ecb8a382115b205edde87c160 |
| SHA512 | 992ba983cb8b24bf0ff190715c5845f34b13f17227486350fc736c872ac8f0b21347f5f6d13e2e204e928ec664e283ca65b65f72d9910725f55d737b6c5fda40 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\da.pak
| MD5 | 96bbef1eee0b0a197ec834839c00e11c |
| SHA1 | 35adba0aafbb4d19015e11dde1f37de87292252d |
| SHA256 | 600e02877374dc083b21deb3cc3bf6a4e3e2b2c581a631955494b0591c56289c |
| SHA512 | e1ae7ad30735b6c42f81d30d50162330603753b0ce7705506918d0bf3bf9a52ac60f8fca570cdfe87f0d6dd46cfa3064d5a1526d39d81a053571b434b1cbffe1 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\el.pak
| MD5 | 4009c890acb9b81928e6e1a4b593dd62 |
| SHA1 | 83083e9c948ebba18fa990e230ee33fceae43cbc |
| SHA256 | 897b6fae230e6a3cd14e16eb537f96d820950f5a4537fe146a732ab028b7124d |
| SHA512 | b4c87024d3cd612b8af6f73b31853936614f4315ba9a48b4687120dc64e1794c568c4e074e41ae6f8dedeab61484e145dc0ca3bdb95482fd85492fddc26ab6ce |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\de.pak
| MD5 | 3a9f06d1708b7620e2639851024ed0b8 |
| SHA1 | 51c0d824bf38250ec0aae58e63141489931f02ec |
| SHA256 | 91da97794994f6544707299fee6b775745dc3891fc879d8e8a05844c6383eb53 |
| SHA512 | 08e80783de403651af208387a3191db30d1353cc25f310c917a1133b2622e4b6809bc2bd881517678e9229e6492705c5f45be3e849c0512c4a651c5b7026c926 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\en-US.pak
| MD5 | d47cded365a28d27906414035c1cb3ca |
| SHA1 | 429123c86f6ca48a89bedc9a26027e01508e6db9 |
| SHA256 | 46958caf9847e33a11593ad024d5a95cc696edcd4620cf07e7b2b78c72b9c00c |
| SHA512 | 1a16d784913fead116460c9ff42e21ae482865cfe2d6ed1b1296496e46a05e513f8d048fa4d245e7a82ef61de4c4130696d5b1c647c918995f6877a888bd0853 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\en-GB.pak
| MD5 | ceba44242f8b24b70c9b59b5094d8da8 |
| SHA1 | 84e16c522ad397289a923e5cd4b012e2d323af4e |
| SHA256 | b0fd61679565a7649c90214efecdf6e1231a8e7895dad93452bfa1425417d5b7 |
| SHA512 | 31cd936157a7408a43dcba597f6e098499dd4c5fc011ef818ce93eb7a05c9d354229c3b2295dbc290a6d3f3600373f18f75b334ba9013a5dc0be44c82f2e51bd |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\es-419.pak
| MD5 | ae62374bc2e71d9abed6e0c1d4bfe309 |
| SHA1 | 624a8210376e11814485fe90a8825bb6ca883188 |
| SHA256 | 48bd8f17823ce0f0a6f1c9fda020d5b5655e2419634f92725ab263339d9a321a |
| SHA512 | 345794d617dd3aa200ca248566e9ba36dc846af9afe259545b5a61e787b1b52e112c7eb68bc025b0d2076790a4b77a82a724bc213fad9f0f38db6054332bfced |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\es.pak
| MD5 | 070cbd6f42db1cb9b6a2f74e03d6b124 |
| SHA1 | f8830e1c8a601123d85fd75188ed01833f910691 |
| SHA256 | 91de93a4dc9c9276b9ee3ae498bdafaa55fd464c1f20fdaca84c4b79842327d4 |
| SHA512 | 2ebee4e289eb2a19a97c86d1abdc1ad53c6a76b8c1dc28fc89cfde236c4abfbb823bf52573cc0848fd76ed9e0ab2d49def542837bc5c474ca1593fb5ed10a390 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\fa.pak
| MD5 | e5d53b9d5756871d684d018fb0c745b5 |
| SHA1 | b00a40704c91b33c2aa0f6829ae3dd886ba7177d |
| SHA256 | 8b93023af6428322b9b13aca5da9bd395a9c4775c72b758df8eb564d35d15cbd |
| SHA512 | e722f114485cbbb5284d23f1ad1061213f40083c5da2ac9753e1416f75f7cee9d8315e6f4582322d992beb9a8cacefb607ee0b1737e3a6da775fc059a17c3fb1 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\et.pak
| MD5 | 294c830b9e6667c8d5e7287cabd6a4b6 |
| SHA1 | 52f44b97b71624bee6360301e8f6f34cfa428e72 |
| SHA256 | 198674c98f10c36205161e382cc31560a4bf0de5f597a0c65f7f95777dc9bb24 |
| SHA512 | ade98fa9cc25148979f325660ed3f0f649a38709ea34b759796c4e202b3c30e76da3b8c17ecf2e1948db4a5be26af23c3a6e6b28f9445ceff68d251a5645db5b |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\fi.pak
| MD5 | 925f45e80be419aa0125096ebb81a23f |
| SHA1 | e73a32362952dc0aea997ee408da090f1886a438 |
| SHA256 | bf20054eb68d3d67d17d2a8c594d896c9c33fbbd562535d0c7e6cf6c940a8732 |
| SHA512 | 8510e2e9749b4342eb8d79bbfb983c43293f7f37d138464c96053a79685c578a148dd54013d211b02115256f174f51a74ca9155883055801bbe146053de52eb0 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\fil.pak
| MD5 | a96f6f164897e62c984e9a61f6c3f7cb |
| SHA1 | 3ab2a714eb8e9b57e8a39792d152606ba0ef6a3a |
| SHA256 | ff21df22f24c92a06f6bbda2c70b57e098d7bb6754988a5ada087aed9bc8b8af |
| SHA512 | cd522884b66c940d64eb1377f9dd60143ae984fa7d144aa9d83b82a006b5da2ee9eabdcf046d362b2096d8a6b8486f36a10ac9f0642bb8cfb1e7903fda4c41f9 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\fr.pak
| MD5 | fe0ea306a7b48ee2750af3a263d9f3d1 |
| SHA1 | 877968909cfbbe499911b4d8b807a593c4be52c7 |
| SHA256 | 955de4737419c06609227c63c2fbba7c8abf497fb976c99a4dc9f5d5105afbd1 |
| SHA512 | 07978311caa9be82bd398100d1d8367c5ca840ffcc166b73aeea0bc7c86b53db13bf648decfb3f54a43b9d199e0d98fcd29fdfb291a703502369b025eccdf872 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\gu.pak
| MD5 | cd212ed25482d2b5a246440b62c4fbbf |
| SHA1 | 197f3616dec4fb308e0ec5a17458ef8a2d027cd1 |
| SHA256 | 0e8762ac08963088c33b74ee790df95370bbfc298bae8abfb87eb1307ef46d37 |
| SHA512 | 207d3e9a6bfbd3eb19cf53a0a300eb0172ecb872496d627ac5b55b9ea11d52f24f01393893450fefaa3c42bb481129d54e552679f2f67a2af0e117d12464601d |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\he.pak
| MD5 | 06e89cfa4c6f4bfb7aaead492c4f08f2 |
| SHA1 | 39d943e0eb1637cd3f5a7b66ebcd28e76c89aaeb |
| SHA256 | 6b7937f16ae53457ac9a0c18fbac68b2076200b0fc98cb781415fdaf18c49301 |
| SHA512 | 8b6d33657eda8a3f1d1bfd55135de88953d21916e72df646fec2b5f5b17e9e15849f428b0fd83143f375ada174aa953be8f07fa8ba90ca4d07dd1b859d034b4c |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\hi.pak
| MD5 | e3b31e519b925414176ef2d9546c356c |
| SHA1 | 7cebb1c5fd9c78f704bb9e5c463f67c5426d0171 |
| SHA256 | 82fbb97e7d9634df3c806439e144cf8d153d840bad98f6e790726841a91acd13 |
| SHA512 | fc3e735f010776cbdaba1592e6f685a1fb4773ab5062f5ba9ed95d9bcab2f0ce9ab024ed95158263450fc58c3197b84e38883262a588d6d92c4e623c61b4d200 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\id.pak
| MD5 | a20c777901a144622f8a5520583af79b |
| SHA1 | 3506f8e07ee301bb195eb185032ebdc7fd231272 |
| SHA256 | fd44af213520242ba41f4c9003ddeedc71f923cb37e25b14e595f3e652ae18dd |
| SHA512 | 6a53bc2f5d0e4660767d21070d19f0c407fe676b9e9cbdc20e6016e333b2ad33da225bfc2833a0c0724e1b6245ca6ee3cc0e782ac955d6aebac3dc468db79a1d |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\hu.pak
| MD5 | 40807c6b0eefd2a2f16cf0ac2c28ed53 |
| SHA1 | 1b416b29e59ef41e1f18b168947e42b7fa969d2e |
| SHA256 | 533ae7e865898b61ecfdec68c581b3c4858f2c3ec1fe496ab02c61db0362d941 |
| SHA512 | 487cf71df0f2e59ce1151c146651f567b624ac0e48f770a2f1da76b27933aa2bdc30990788e2dba4543a11b9e5d3da6f31badb26d7f3a5c87088c5b4e1bd7756 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\hr.pak
| MD5 | 92e6ef5db4c0191282ce2dd3645461ea |
| SHA1 | 045d3ed58a625516af741c9e2f85680fc1561ed4 |
| SHA256 | f8d6694f1c05ca259a31e0427ba7cef5b57f0c4b33493fda21003911a5da6f07 |
| SHA512 | 08b09857f173ef2a3067d60120167223b4ec7414ff6117d206bb12213ce9563c8d7923fc0ce6e7df0ea5d8ae2b3ded2a23993ab43bc46bea3c08df1bf59e16ea |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\kn.pak
| MD5 | f4c1e83eabd580c0b4c63b2dc510ce6a |
| SHA1 | fc1d9fed0f073504b022606e424e7cc9796648b2 |
| SHA256 | 79fd72e764a1d8ad623892e563e174463f29d6ce61a2ae29af102d71da4b8e25 |
| SHA512 | 927e6ff4c7d1c28c89afdf44c62643740a94b01e9f6e927e543834c833e1b4abf97de1489c6717f9054243c180474fc695a70c4ea8852d95c690f38c785705e1 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ja.pak
| MD5 | 63cbeb056020b6ee8cfad26c7c6abb79 |
| SHA1 | 99bf018555eec56aae4b19d10c85ac506f4164a7 |
| SHA256 | aad9e17b2170b76248d61a3bac9b1bebc44b94885403ec2cc21a31397bf029b4 |
| SHA512 | 5aa4e764f06f0e8490dab89a8b3754cccdd41739b4654ac8e30de160cad335f681fa5dd7782482aaf66ff1d827ce0c34df85c23c334a35035a3a4e3d0f305343 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\it.pak
| MD5 | acfd6f4b73b87455acb703e59303db33 |
| SHA1 | 70eabbca61eb365191cd1256f3be40ea9223b2d5 |
| SHA256 | cae7bd535284f5f156c1466820aae2bcc0b0c0ba378ad0f04eef3a145deed9b9 |
| SHA512 | bfd52bc383f1f5a7d559968bdd779198c81286796564499174c3b5b9bbc7112f427e8316f78fb09ebc668c5cbf94c89c37e97abb00c9b87b5c5c108028fc549d |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ko.pak
| MD5 | 626e172ad9b55ba0a1e2802ce5e10d0d |
| SHA1 | ecd855a47448609e8e9d7bdd80f92edd494ca77c |
| SHA256 | 7111342770c33aaaffdd6fd9ef15095a6d89e48d2468c19172c0eb9b6f26ebdf |
| SHA512 | d42594259929e35b763e71cb7022d34a11bf75a4b9bb058e251cbbe8e80bccdfb284eed1c6367f98e3023134c24d50542c64673d80e29230fdd057de70a10d5c |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ml.pak
| MD5 | 265d7fbee9a021895d51209dc0181f90 |
| SHA1 | 30e37013971bacd3ee93ad2fca01cb59a26d6a87 |
| SHA256 | 682463d4a0221711e565ecf409893536d727650efd2ed0563c722cceab66b1ad |
| SHA512 | 028e1ad499b20ff7cda822b91f9b8d1cbb1efe108b7236d817b73a6f8e518b5f4a8ae77d653ae5c9d799842eaee3915250ef56f634f847fc5fc8a3b36eea176c |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\lv.pak
| MD5 | df9985ecfc958f343ab7e56e71149d71 |
| SHA1 | fc0d2c4a194d500a1f4cfafcd9102186016ba5a3 |
| SHA256 | 7e17246e23ca2d0241d56d91b5d5e6bfb3ff4e08f1a3734f9d032b4191282fa2 |
| SHA512 | 0dd65eed7a5bccee0ac5e2826f0cceed848dff0d0d41904e00d35cec9d96fc0b91a4eb54fbcf0bbba61f89848562a606f9f7aa827cb180abe7e97a2e77a29309 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\lt.pak
| MD5 | b02bf54687716b5d5f18aee02411a980 |
| SHA1 | 4cf766077382c49fb89d59d861de0f482f989798 |
| SHA256 | 0b0e3fcb82ddca52f9eb1ff9e1ee224639ff81f1c0af6ded4e21944811babc0b |
| SHA512 | aea879ac96a5719e8988011a7b82726bf51a24e170e260182146191f43914cd50991928d2283277d173ad650f7cfb1246fad9445260e9ca0769052079d431f25 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\nl.pak
| MD5 | d7048d029ab3ff807dff790113328574 |
| SHA1 | 07872f608062aa482532edda0dd2e1de31669380 |
| SHA256 | 0e9c114529b9ec20118bb96ffeea05d1a408e4eb621e3fc65f49353195d1af96 |
| SHA512 | 050b0eacf5b4da024d1a2af54f3511c4671756b0dab3f961d8acee5d1695eb29fba7768246dd5b3bcc253136df97e49a305832c37943380dc337776cb1fb1549 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\nb.pak
| MD5 | cf18f58e8e4e37b2e5fa7ef8269a294f |
| SHA1 | c60d6e84f5cfe4cadbf4efed9b5998307b20fb9f |
| SHA256 | 3f1ed8ff0207c678b6a0a98e82fefd6340e35b7d16689672dfa90d9ee63921c6 |
| SHA512 | 8f336fc50943d693ee80475250d2dbfc1401c615da571115f2c02551959028125b91ea6ffe22171dd12241688703e1869402146ef4e85a46059fe022759da953 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ms.pak
| MD5 | 06f24bba6fa8e9a009b3062227d4c259 |
| SHA1 | f50b0da2a86a138d16022f5642d96ff1a3ce7568 |
| SHA256 | cdfcbd86ddf584621bb2966c2d43f18096f974edb795cac0d1db43a60f3bc24c |
| SHA512 | 02239741f103c8b63072abab475ac313cb48612cac36890b7946fd816028fcba9be7ecc17ba5b934016d8817c52855ef208bffe5191d0eed35aa5243527e2150 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\mr.pak
| MD5 | af7c7d72a968e1936f26a3c755157f6b |
| SHA1 | 2ec71950847f5fb4b85697b6acd05224c28bb092 |
| SHA256 | e5702b9578435abbbcc922f1d4ff8c5a345856926c2174c329e228987c3ac7d5 |
| SHA512 | d265eeee96adafc3ced76901c9263bc1cb349caf925a02d5deb010c02843fb653a17e1e8a4e942c9912f654316c4a7a1776e6a7eda56ab82ae9d4d077a58a929 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\pl.pak
| MD5 | 4003c253ef85ec0ff8a65204955994b0 |
| SHA1 | af3074fb622445f6429899cb33a33bbcc60e5e5a |
| SHA256 | 4db10dace60cc56b610a7f92caebf4e7e98ddcaf8dac4f5a87db8f750f51ef8e |
| SHA512 | 5624c8f6268c8a8dbf1a69a032ebb89e670685cb736a3cb42a65e2dca118a85e076818b58ba2e392991eff7921495167616107f402c841a8456b5b5888b70ca1 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\pt-BR.pak
| MD5 | 0711b3f59ac95761899b013b3b242c93 |
| SHA1 | 73fe7a4f60a6b92a966f1177c71bf85c6f95004f |
| SHA256 | be445bfcd9429570e5006063b1c8299a41e762e8e0c2b63551bcf16cb6fb868b |
| SHA512 | aad5ff84d1833db418a46961a5e3abd040e19e5a87bd6763039f8db7dda19c3cd9d7ea862585080636c2888ab1a50f2ba579cbc0ca0df8135537f1cc7543882b |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\pt-PT.pak
| MD5 | fbff8ba7e31acc6c26c0e4b7277cbbd0 |
| SHA1 | b9acdcbe2f0f429474acc4dd883d668cde9d3165 |
| SHA256 | 477d6666bed083b27335a479c71279ad41a674f7b6a412ada1bba18be542ddc7 |
| SHA512 | ffdbb2773f18038f5d4cf145f3311feae25110ceb8efd9c895267f98acef7e901dd7d843f7c5291cd333fc81b80da301d0c92e5c0d6857da7e4eb68a5a0c540b |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ro.pak
| MD5 | 5d5a27c52ae905fd85f5d50cb793e7ca |
| SHA1 | b858bba1ef66c4d3943be19a4bf8a508c23e6671 |
| SHA256 | 9ff47f6890b3f543bc51015f263e791d8a3bc332098f8cd8199852fa131fa579 |
| SHA512 | f4754951ff0dd3f1ec2c0859a93422330145f9e4e3407bb7f95863c85227b96d3f8af449c0a051b60f333df3695eea5df70fd5f7fe4916e60eb6f7c4c21aa5e2 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ru.pak
| MD5 | 4ec91cdba9839e214ef7c008775e9e6e |
| SHA1 | ea9f0f22ee1bca09ac38c01300cc91e2fc8aee51 |
| SHA256 | 64f069a34be4966a9c28361e1c4914ce23bf96faa3bb5533fc3d233bfeac5cc1 |
| SHA512 | 8c49ca910bfff175a4d88778ea34437a5acb0d52e349160f31091bd33d8ed76524950fe3e0f508c243ed76b289a550291ec68a7e0c1c426a64fbff0579c94d14 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sk.pak
| MD5 | b7d16d6702d4b4b5d3a9e4c3e0e13eb2 |
| SHA1 | 6b2f1591ec51c4a7cf1435fbec7b5af94e0b5d4b |
| SHA256 | e93580dffc1715edb37965c5787048e3e282d0477f277668ca7f49cfda7142c0 |
| SHA512 | a09950a9bb3f9814d946857e32901a9b6d73b4862a85f00b7f1f035ce0cab5af4ebf3aa003731ffa8ccea88d71866ec01d9ce578fc0b13b3cfdd3df332a0c40c |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sl.pak
| MD5 | 48ead6e0160cbc6cbacb247cd3643110 |
| SHA1 | b39a91bb90f26c74dbc9fa28b257b705b54f2b81 |
| SHA256 | fc4cc46ff82cb8a41181e825a3d4e4508753fb68ff01a60486b7df4a4e11e89b |
| SHA512 | c037d352d315805a18796a121e47c73d37d68e735c9334e11b393235ae75b803cbc03cf7cf8480683bc68c9b98fba9f5a7b045b650598e5d9367ab58a24e75f1 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sr.pak
| MD5 | 5c811e0c9b775886bc11b46703cb67a0 |
| SHA1 | e9a777cc72263c7e7c4bfaa36e41b29e405a2a18 |
| SHA256 | 4c524e149c02c37034ec92dd90f20f463413f2650ac9f32d52ef7260f9a34f1b |
| SHA512 | d7db44fbfff3e3204b92aff44dc02c184344853d85fd79cd962bcad8efe85a13d1aaf9ed69a6e81fcc6e690afa4b1ba7cf1764225916f398c0f960d56e5bc57c |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sv.pak
| MD5 | b75471d16a5b4cfbb43ea86d3077e63a |
| SHA1 | 302958743c97218d13a72ade3a22e4181922531f |
| SHA256 | ec0f43dae8e52169396f289dfeb5d49b7f9258bafb0ed3060dd652fa744e5264 |
| SHA512 | 63556f738df1527ad96cca95f3e37934b054df83cfacd4e120745ceeb0536d4bc1919c66acff3e5253a62824c032ae7e8f9496df13b9ccb6fe00f67920a63cb1 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ta.pak
| MD5 | 22949a4acb6639bc4fea591bde3f6cec |
| SHA1 | 672163723e294a5242e9654470e1efbb3e8aa0a4 |
| SHA256 | 84776412fd7f2cff26713781be937bdb30352f9c7eb297ca811241e6cf4284d3 |
| SHA512 | 5e3ee2d29eabfc4398b0f9784064eb03b3c3e13c59f4fb1b857c612727eebe1a4a1bcd76503b1356cf4b4d407431a643503d9068f61f1ed05041f3aad325262e |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\sw.pak
| MD5 | 912db9e797ea3e277f18e72173f26ad5 |
| SHA1 | a83461503becad16ea0d33fd5501603688a65ed5 |
| SHA256 | 89d1245c645cc26d67ac0f556734ebeb99b436cf19edd3cb3b220e78a87796e0 |
| SHA512 | b5c334b528ba6d26dde9b4b1100c01bd1675cfcc7167a9bab4d9fb95584ae629e9567ab3a4729776fbee22ca927d42e04fa016cf3f9fe510edfdc340309110ca |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\th.pak
| MD5 | 77721a07831a7aef49934706398559cc |
| SHA1 | 240ac6e472ac7312f02b99a8d588813d3dfeb468 |
| SHA256 | e8cdabe4557192a6ad7040de396d807f96f50d6ef256dd04972211b9c898bc1d |
| SHA512 | f73be17166c7a94c216d13d837146c3c72a5e205688479ce8199c8cf468eb1bf780f2569d42e908684f0059e6ded370428d9b123389ad2cf1553a0aecd1ef06f |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\te.pak
| MD5 | f0a8ccf00882e83751fd666876c937bd |
| SHA1 | 6fd5045a20bdb912f61dd38f4d046b333bfb03c9 |
| SHA256 | 65ce3f1fe059a8d8b67cd47485233c6ab3870cfbb313241fe0f24e948bb0f158 |
| SHA512 | 8ea9f2215ac8354378aff1717ef6f1ba97ba8bcc1c660290d8a070c9a7cb9b0e1a87b8e37e68cd71d7bd429adba8b17c6cda68508b7389e42841fbe2f9c79528 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\tr.pak
| MD5 | 41bc209ee64f56f04836fca3e2de362d |
| SHA1 | c019805b555d4c24c347112a583ac9f9bf2ef142 |
| SHA256 | 71356710c485d7db228a866789ce9d253276725d94a4e4622e7b82037beb9825 |
| SHA512 | a65c4f9147c5796567e61b0661b4766c199f156541a252ec442fe5b5e3e1156c80e8fc7cfb6d9e55db4c5f60732b55cfa74a65e7dc46fbd5a4e5dfc8f3891add |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\vi.pak
| MD5 | e6db9a8c61dc84aff75efc00b486a8d1 |
| SHA1 | 6d1f0329f9a44b64fa3474313c7bf207bfd78557 |
| SHA256 | 8ff2d05730915c1b15a97a3915c03d83239c34771ed661ccac745fb308901f14 |
| SHA512 | 89cf188b5d21528166353b29986f5afb9aad9a51a57864951f7945124b157e0129125caeed58c70568e38f7ba3a34a17d10056902b58ba48ee2e4e10a4649f75 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\ur.pak
| MD5 | 157117641502b63c89110363dc7083b2 |
| SHA1 | fc86039a03b2e48fafc70e1cadc096fd46389af2 |
| SHA256 | fb7cd2f4beeceaf445f4d299a3db26cce49a7950a37e5a9b48fae7f5a8e09f99 |
| SHA512 | 422d92c5f0b2b2f9f35dbb7c11cd1b463085201912948c61222bb4f43f8dfd777fce678f04371df53ab6d07ec14cfbc9e4b1b084a72a0f2aa80ca7a4728e6359 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\uk.pak
| MD5 | 7e2cbb9d3591278a76dd08364d3dad4d |
| SHA1 | a760a029070bfe57d4ef273b705650cef0a92f61 |
| SHA256 | 38616b5f7f939a84d5205e758a8d3fed024a8e3fbcc8159c90666ce650ae1d30 |
| SHA512 | 81e5ebada5990d79363e2583efdd3ccb19d8a10291cf6680d77d7c399816fe273a4fea5a7cb5e55e11f445df46a7ccad2942dc04f4fb8b6f66d2f2b151374de2 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\zh-CN.pak
| MD5 | 5356bf9ddeb7ffad20e27ef092dac528 |
| SHA1 | 3514ded7211ff71297c87275ef0805588da2d47d |
| SHA256 | 0b6f0a9ded5734b260c1c02d7c717305d139bded5ec7ea80de40b641f13bfe0a |
| SHA512 | 887be5ed95b40d73e0f61f4b3e85f8a77d4bf4a222197b9d1c60711ae8481efbf9c183ba902dcbf437fdf70381bd232fe9c27cf0ce87c0f45b283b75b6d19962 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\locales\zh-TW.pak
| MD5 | 9c51b828271263d574382077abd2e2f3 |
| SHA1 | 4de07caed06477855e4f4bba1d0d1178c5757171 |
| SHA256 | 21550464b12c7f9b23380acf7ca2b42c1b578581613c342196da95908f14c8af |
| SHA512 | 0e6921dbc4be8d5d98bf80e9b0f8c7fc31cb4e7553ca76b9c697a3f1428f855e59ee0dee99903a5215dddee9375532226af81128f066656d98db28a8d9738604 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar
| MD5 | 3b2869f88147288c90b1155d46f2d04d |
| SHA1 | faa43a7df73900a5149170693719713f702f24f3 |
| SHA256 | 8c800406762bcfc40932a5f55c99f5cf90af8eadf09283c06059c1c68552d9e8 |
| SHA512 | 7b8b405342b10b5989966b40de5098a67a90f2380c37d457793ebedf677a27ef1bd5789446e9f695dbe6500ae7794791d4a9c144b7488ae32d9f635e0a1096f1 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\versions.json
| MD5 | 71b6f79d28fe95b4e63bbc509ef50f42 |
| SHA1 | c44a2b2fd2ccacfead347a4f47bc150356118979 |
| SHA256 | 2c9ea5e852f8339c7ba4c6577cf6216a29d9c45f7c7ebe46bc0eb4f9750574f9 |
| SHA512 | 6bb14d063fe0ad6e2419b07f8852dca298db6c253b701c8995506b16ff946ba6ce7d136ce7744b92d544169488ec3a3ed110d2347c0c82e2413f7ec222b38af0 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\package.json
| MD5 | 8a6d6bc233909ba6af13ac6a3ff3a0cc |
| SHA1 | aa13757b831c934f625f8858dc4dd643a08c67ff |
| SHA256 | 778a81af264b8dd8cc2c593016d07d88da00acf6468732c8b4b55abbfb8e682b |
| SHA512 | 8dd5471acac5921d9e08b2b937fe1bb09ef49f0a885ea3ff7369127476bf04065a977e2fbe7a26e52fb0ac87eaed4268e782fb6a3aa393200de519c9257c446c |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\LICENSE
| MD5 | 19cbd64715b51267a47bf3750cc6a8a5 |
| SHA1 | 172ca3bbafe312a1cf09cfff26953db2f425c28e |
| SHA256 | 73ba74dfaa520b49a401b5d21459a8523a146f3b7518a833eea5efa85130bf68 |
| SHA512 | f32944d2f94b018f42e0138eb9a1b7df3145beb1c7215e3c0e091bb07a083e3c23c379d47881da00a51e244d9c3708119aefd1658c988c1487923c7ba932c246 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE
| MD5 | 79558839a9db3e807e4ae6f8cd100c1c |
| SHA1 | ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2 |
| SHA256 | 7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c |
| SHA512 | b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.node
| MD5 | 1b516fab2c5e25b0bf6bf3bf3a885525 |
| SHA1 | 3c1bd2ddfaad46775ee6df5ff07badbc510d1c10 |
| SHA256 | fe184de118aa33421af89c43c93131a3a80027413e98b466ca56cb773c617e92 |
| SHA512 | dd5977b073dc3c6f05c7ef2506b7f4dac2410a1c729e4b7b42c4c5c31b1fa3776d2a1592139966c63424ef33ca685e50400617775a162277a9407b8ed97521f2 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll
| MD5 | 86bf2c651e8cd92b2fe72717c1603a5d |
| SHA1 | f4986ed8279083237906307346596833eac1e713 |
| SHA256 | f7b1d8dc48b836ce4a2bd1d50321625bd920245bf0fa4344db885fd45388f7b2 |
| SHA512 | 38ca4fc5bbbebab6cc8c065db2c799a948887291f84283c5fe094a2e72d39c37cda23a866110969b7e4b5351e7f64c258ee9b8ed7d1ba9660ecdce00654a4644 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll
| MD5 | 387b5dbed94e434a6723e38203a7d2c3 |
| SHA1 | afdc7eb5d080e2752dc63bbd3f92d056579a2827 |
| SHA256 | 92076cb17f3b11bb864dd103b4d8f5fb7580fc63c13a417b58f51dfa50ac7751 |
| SHA512 | 241a92d2be10668dd7e50945f2852a75e2fd51131604996c4567b316ed9bf0d77af6e3cacdaae40bd0c9c7dc61b5d8d5e7cd7f2aecd507c4a9fd2fa19973832f |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js
| MD5 | f0a82a6a6043bf87899114337c67df6c |
| SHA1 | a906c146eb0a359742ff85c1d96a095bd0dd95fd |
| SHA256 | 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74 |
| SHA512 | d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi
| MD5 | 92c4c5168a6a883f2a69ea4a1a37b7b5 |
| SHA1 | 6dedc03d603631c1f70c626f5ef9d8ee6f342efa |
| SHA256 | 7b557c097c162c9ba04985ab822f92a176bf848c34ca38e54f061057ad0d8bd0 |
| SHA512 | 904e605fe5bf1134031edcadc91ed55bf72d7fb1c862f99f25a672d29fdb34af22d4114cae389a853d703bc35bfc2c8429f86608fed5eec897c115ac3dea8de5 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json
| MD5 | f9560f0fb25f1dc014682359373146c4 |
| SHA1 | b19c6321292cc63d26a18bef5d80787c5e57e746 |
| SHA256 | b145c00c63dde4da0eb3736b0d25fe79fa252a02daa9c3fdbb2d3a5783e98cf6 |
| SHA512 | dd51dcca43554f27b2718f87661cdfc86e6a51b36c15574870d793fa358f76816423c0ebcef34dd9a7fd7ce42e6be18f834100a327cdb3e6eb8dbd9d65792262 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp
| MD5 | 0e4d1d898d697ec33a9ad8a27f0483bf |
| SHA1 | 1505f707a17f35723cd268744c189d8df47bb3a3 |
| SHA256 | 8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd |
| SHA512 | c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3410100.tar.gz
| MD5 | c6d5034cf39232299ccfdf8e3ddc5781 |
| SHA1 | e77599a2df4c5b114c942ddba4483550d8982bf2 |
| SHA256 | 4dadfbeab9f8e16c695d4fbbc51c16b2f77fb97ff4c1c3d139919dfc038c9e33 |
| SHA512 | 6e6dafc35b8b11df3cd3bea48aaf84a102893242cffbe18eb7b111791563095111a2a8a5632636b8f46523d98d16e2b48dab79ee6707a141b22c2e6fde3002a2 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js
| MD5 | e5c2de3c74bc66d4906bb34591859a5f |
| SHA1 | 37ec527d9798d43898108080506126b4146334e7 |
| SHA256 | d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f |
| SHA512 | e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js
| MD5 | 275019a4199a84cfd18abd0f1ae497aa |
| SHA1 | 8601683f9b6206e525e4a087a7cca40d07828fd8 |
| SHA256 | 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973 |
| SHA512 | 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js
| MD5 | ff6a0462767c6bf185a566f4aef65ba5 |
| SHA1 | 7a3c3ee6748d00fac6e51e366518bb48a41794bb |
| SHA256 | 049b7b1b10417274be6c3e6a9518ac364729354435298d70abf834c35e8f3bf3 |
| SHA512 | 088d706f5a18323128547b0f126564fb7fa7a36dc8365ee8287663b2cb63da2d02a991bc5cda19af24da2aa063357c25f21347835f9a8aaef341b33bd21127df |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
| MD5 | 3072b68e3c226aff39e6782d025f25a8 |
| SHA1 | cf559196d74fa490ac8ce192db222c9f5c5a006a |
| SHA256 | 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01 |
| SHA512 | 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h
| MD5 | 283f3987e0e65dca1b029bdbb625ccc2 |
| SHA1 | 285d7995459c11a47e13834ae3ec0167eacf7d01 |
| SHA256 | d3956cdbb650e1ecff8c94fe4e8645f80e10088156d409703c19f186a9c41aa8 |
| SHA512 | ff5c21bd53bf75b33a5430d1abdc8a8649af1535ec02aa5fceb91ed1189e44f0818e25556946d3ad8032b077fa30e73503464aff219b42cbace1ea3f97acb605 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h
| MD5 | 7fcbaffdc03bb5164fbb27f8552dcf5d |
| SHA1 | 590e3430c1dfa30f241d56ea01f364d5b9e7e991 |
| SHA256 | b6e86bf43d74c8ee2c2f57eb1947be6ce5d8c258c4866609571ed6c97b58b53c |
| SHA512 | e44d4850651e0e070d3f686db3d3797632121e32dc65b869739c0b45cfa13c055fc42d650f04c41915264b8772fcfeb2a38148b9fbe21a001af5a455854336b5 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h
| MD5 | 592ca8ac280135c059c9ed651ac738c3 |
| SHA1 | ac8e8b5e835ea2810a443df2a57f3bdc3c60b2c6 |
| SHA256 | 8d1afb5d27eab8302de08aca87eb6edc1b99ae963a854d3bd652a4fc61cbe3c6 |
| SHA512 | b4e317200e3cab4dfac93e684150d21f7dd89a656f8a9f576b9cfb22090e8db6c458008a4a1406121fabdac034cfb80200a740d0caf6ec63fbf71ad2fde41029 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h
| MD5 | 55a9165c6720727b6ec6cb815b026deb |
| SHA1 | e737e117bdefa5838834f342d2c51e8009011008 |
| SHA256 | 9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f |
| SHA512 | 79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h
| MD5 | f2a075d3101c2bf109d94f8c65b4ecb5 |
| SHA1 | d48294aec0b7aeb03cf5d56a9912e704b9e90bf6 |
| SHA256 | e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36 |
| SHA512 | d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h
| MD5 | 13d7bf3557e57ef3036bad68cfa8faae |
| SHA1 | 94c1af952f38e9f1ad2d722ec3a063fbe666e66b |
| SHA256 | 2c99d9cef21876db64b610dd9baba8de1f7c94028d6d1c463eb3db213745b3bf |
| SHA512 | 63e4543833d602b0c6ad9c21438e61782c252a5e30b776a9c942e1ecc34c1a7c471a39195caa20aefb072add66c83d99af902d620857d18ddad196f4f207a161 |
C:\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h
| MD5 | f023c6c0baf0411cb6eef0a7b2baad13 |
| SHA1 | 748b78bf3ed5adc11e83f705033d8338d7eef2b5 |
| SHA256 | 8c5bcd084dddab2f2994b6cddc9b69a8f78a1034588b765e7bd859f27868fe43 |
| SHA512 | 08648cb37c0284799bb98fa2eb1abb508c8b992b43425203839e1e7f4092b7d2d7c83f6419417281ae278d3d61ade0b65959cf12f0c449a9688ee97749593dad |
\Users\Admin\AppData\Local\Temp\nsjF1EE.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
memory/848-728-0x0000000002B10000-0x0000000002B12000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
59s
Max time network
74s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
38s
Max time network
40s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3410100\Replace.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
59s
Max time network
79s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
58s
Max time network
66s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
59s
Max time network
71s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
debian9-mipsel-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/sqlite-autoconf-3410100/Makefile.fallback
[/tmp/sqlite-autoconf-3410100/Makefile.fallback]
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240903-en
Max time kernel
20s
Max time network
20s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 220
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240903-en
Max time kernel
31s
Max time network
19s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000be825060eeb8e568f640584a043f321a22aa42d55a483d4dcf050ca4aedfaf29000000000e80000000020000200000006be28303daefa78bc157314d16db31e992ff99473426def2a096c1c0a8cc38c120000000837741744799eee7bdc7488595ff966a0aefa94d3e7e040cb883c47b699db6a840000000d0c087efa9edd64fb10bef847af261488632c4abe4c5c6265aeaf3723ea892c2a53b432b1ca5d3de700b2da3ae2ff536729e754a5fbddaae15d0f5f15bbef0ec | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000008fcbc5d041525909b7411dc9237c722346a6209dc345e4998ff7025b827877c8000000000e80000000020000200000007e43a2a998820bb864272398e8e9a2df8ccb8f4aa10bc041d80dcac16e16c37590000000ef0583ed6d1fafa5691dbbdb107ee0fe117a3633aff21d393e72552dea4210ee267e6ce14519f44a8ecabd11ce494ec13cc081dd9d2730ddf7e71c4cda37953e11e05e75f8358ad285dae9fa31201807cb4c998c40c5e16c61c4c68dba45440d12c786096f6e16a0fa975355b8d62ac87c0212b62d926af9bb0e7c556dfc6b69a5decbad651667375a6024358e1395924000000089028169695e561f95a98296b0e403cce44e8abb5feb9729577cd920b27baf789df24e056faac54ac488cee42717dba37e8b8f30863b5cb00aa0bf33f0a95695 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF461531-A1B2-11EF-B945-527E38F5B48B} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09f51a4bf35db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2260 wrote to memory of 2816 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2260 wrote to memory of 2816 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2260 wrote to memory of 2816 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2260 wrote to memory of 2816 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:2
Network
Files
C:\Users\Admin\AppData\Local\Temp\Cab348B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar34EC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ab85121dc5401c5e7604ef1cb162e34 |
| SHA1 | edb64faabfd5343c91812b24423946f8761cb1e8 |
| SHA256 | 7148e14922ebf6328249cf9dd9239173c0de75c965d8cac09b5d97f057e97864 |
| SHA512 | c1c16bacd3de89997dc1535e52f0004480adda0d454b4ecc8ebd85f6248638f438618f7d8af648eab11fce8b0506567f19fc617fd2505672ab858e39df400b62 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a05b78b22a6c50b9dc623185f47d2cf8 |
| SHA1 | e4fa52c0f2fbe00bddb522816dd611edd500c1bb |
| SHA256 | df615decf897b61113e7b1766bc6cab985e5df03598c9b71190915acd5c8e79e |
| SHA512 | 6935b3eaec5dd8094190cb7f6bfc379bf6dbef5e09efdbfed7f76dbbe5b538b2dd21231d26c1649dc492932f5396f24d9fb13a9508dc3181fbff692af6e46daa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e18899136845d460a10536bd23dba3d3 |
| SHA1 | 10418eb9df43a0e12e6a4dd45e3a6b47216bf229 |
| SHA256 | 2c52554632a0cb595c3a22aadebbcb9b0577c02e199762bbe7f598a9e468d2cc |
| SHA512 | 6b1e57da85ace06548d5ec1b13fd6119c4c259b1a546c430d16a94961b5d07d2fcc084891313fcae19591c8c691bd17f9aaeafffa2d2999e48618be5fcc7be74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3477083f19172f8deebd10ae98b66405 |
| SHA1 | 7704abe8f3bce54b011c96007108d85a7a732930 |
| SHA256 | 781b92a3441cb7a6064ca04be24ccd0e8524b13265c120505bfdd69e85e98948 |
| SHA512 | 9bd52febc1edcb525d198cf7e02878dc32d6194641bda09cfc46fcd7bb5a1c68753e0a383e8bace698d1c2f615bbd3de337d5e42e50e2f482a4de734d4091e33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 277d47b643f3a090fe18c405ee5dcc60 |
| SHA1 | 2afdd562f9aaa1159fc4eeb979b80dc313d12404 |
| SHA256 | 143b63448980b42719415ea760d7af1f2c28c01af593871649654525cd39fea9 |
| SHA512 | b19515a170fac2524ec7de11bca24c4b61baf25764e0ac7a543b62194c8e22834ea1788af595d5356b1fe04a86a541e28f1a10d8bfd858e7e264768771005670 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ff6a1a3eb80be35f99464f93b4116b1 |
| SHA1 | 4b0a88509a63fb4cf8a3b8d78e21db4eeb4ec706 |
| SHA256 | 85c1aaf71e71ec8ceef74789b986872a11d0ab3c697d545296c4eb8d1dd5380c |
| SHA512 | 485e9e4134b7b34c74f09e9d23ac33eb3ca9e21727418fc2d71797af4a8122a696e1d0ac192b639927ba03534c635f237f300068a4990e60c368319affb148b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 078d7e75e0f8ecfa07d347ee6467a16a |
| SHA1 | 369d8b77673ff9bf0497f2b92928b2778bb5c798 |
| SHA256 | 3844e1d2a2455e10c0441ecbd8bcee59c499d239db4aba39d878f478dd0c7761 |
| SHA512 | f34fedecdd98e0dfa38ea79642934d64e9ef54e39d99fa2126fda740fef4788b1f37c7abd6f5793b5fe5cbe2a980a43036376f8d57c785db8e4567a94398a298 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8131220f566c9ac3203215c508ee3bd2 |
| SHA1 | ccce8aa9a34dfd58ec06b7cba715624baf69cfca |
| SHA256 | f3e89de8e48e125b99b2a68476c864757385e73963f16880ad4e63fe7c47df7a |
| SHA512 | 160a309aae9926e237d86d32a572e64f5303c8fdb68efc34ed45524f46fc3be8765c8b6058d6d68da10c30d37585aef971b7be039ada96abb89bf93cb2713d95 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93e1ad6d5f24c46a12335d798938b219 |
| SHA1 | 590c2a7735340c97002f946868daf72eab6c36e8 |
| SHA256 | 059b70f943e2e95ced39448e75f50e1c234a068203b1503ce4cdb28e66bad164 |
| SHA512 | d0f90cc545ef4e9aca683caafb10d8517905b5e05022f8df175ce1310ab32d6235c5981b05b0fddd10dc603a8c77924670dd8fb35f0c2a2de8a34259ff6b9697 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20241023-en
Max time kernel
7s
Max time network
21s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240708-en
Max time kernel
21s
Max time network
16s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2200 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2200 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
59s
Max time network
72s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20241010-en
Max time kernel
7s
Max time network
20s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240708-en
Max time kernel
14s
Max time network
17s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 220
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
33s
Max time network
38s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2764 wrote to memory of 4520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2764 wrote to memory of 4520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2764 wrote to memory of 4520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4520 -ip 4520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
59s
Max time network
67s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
60s
Command Line
Signatures
Processes
/tmp/sqlite-autoconf-3410100/Makefile.fallback
[/tmp/sqlite-autoconf-3410100/Makefile.fallback]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| GB | 89.187.167.5:443 | tcp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
74s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
31s
Max time network
44s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4248 wrote to memory of 1984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4248 wrote to memory of 1984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4248 wrote to memory of 1984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
59s
Max time network
68s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
debian9-armhf-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/sqlite-autoconf-3410100/Makefile.fallback
[/tmp/sqlite-autoconf-3410100/Makefile.fallback]
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240903-en
Max time kernel
15s
Max time network
21s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3410100\Replace.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
61s
Max time network
72s
Command Line
Signatures
Clipboard Data
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\roarkaot Setup 1.0.0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq roarkaot.exe" /FO csv | "C:\Windows\system32\find.exe" "roarkaot.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq roarkaot.exe" /FO csv
C:\Windows\SysWOW64\find.exe
"C:\Windows\system32\find.exe" "roarkaot.exe"
C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
"C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe"
C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
"C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\roarkaot" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1924,i,14121230345587530905,12327169903163478761,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1916 /prefetch:2
C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe
"C:\Users\Admin\AppData\Local\Programs\roarkaot\roarkaot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\roarkaot" --field-trial-handle=2156,i,14121230345587530905,12327169903163478761,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -command "Get-Clipboard""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Get-Clipboard"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | high.2i1dyj2.mongodb.net | udp |
| US | 8.8.8.8:53 | ac-g911k07-shard-00-01.2i1dyj2.mongodb.net | udp |
| US | 8.8.8.8:53 | ac-g911k07-shard-00-02.2i1dyj2.mongodb.net | udp |
| US | 8.8.8.8:53 | ac-g911k07-shard-00-00.2i1dyj2.mongodb.net | udp |
| BH | 15.185.170.155:27017 | ac-g911k07-shard-00-02.2i1dyj2.mongodb.net | tcp |
| BH | 157.241.30.188:27017 | ac-g911k07-shard-00-01.2i1dyj2.mongodb.net | tcp |
| BH | 15.184.66.59:27017 | ac-g911k07-shard-00-00.2i1dyj2.mongodb.net | tcp |
| US | 8.8.8.8:53 | 155.170.185.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.30.241.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.66.184.15.in-addr.arpa | udp |
| BH | 15.185.170.155:27017 | ac-g911k07-shard-00-02.2i1dyj2.mongodb.net | tcp |
| BH | 15.185.170.155:27017 | ac-g911k07-shard-00-02.2i1dyj2.mongodb.net | tcp |
| BH | 157.241.30.188:27017 | ac-g911k07-shard-00-01.2i1dyj2.mongodb.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| BH | 15.184.66.59:27017 | ac-g911k07-shard-00-00.2i1dyj2.mongodb.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\SpiderBanner.dll
| MD5 | 17309e33b596ba3a5693b4d3e85cf8d7 |
| SHA1 | 7d361836cf53df42021c7f2b148aec9458818c01 |
| SHA256 | 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93 |
| SHA512 | 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Programs\roarkaot\chrome_100_percent.pak
| MD5 | 3c72d78266a90ed10dc0b0da7fdc6790 |
| SHA1 | 6690eb15b179c8790e13956527ebbf3d274eef9b |
| SHA256 | 14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7 |
| SHA512 | b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\chrome_200_percent.pak
| MD5 | 3969308aae1dc1c2105bbd25901bcd01 |
| SHA1 | a32f3c8341944da75e3eed5ef30602a98ec75b48 |
| SHA256 | 20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6 |
| SHA512 | f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\ffmpeg.dll
| MD5 | ebf0485fbf546b010c2b10c5c8e7d5ed |
| SHA1 | a4a546f6be93bae535aa724ce2832f428cc91f89 |
| SHA256 | 46a20d91861f6e966959635dd5f1adfd7f33449dd814a9aecf207b0cd53117ba |
| SHA512 | 9e6011c0269556376907850fddac8fdf50e132434da7daf4d87be83c1b89b7aef847b25b6216686915225a82374fac6ff987f22efc01d5b1c2cc81d53d7facc9 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\d3dcompiler_47.dll
| MD5 | a7b7470c347f84365ffe1b2072b4f95c |
| SHA1 | 57a96f6fb326ba65b7f7016242132b3f9464c7a3 |
| SHA256 | af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a |
| SHA512 | 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\libEGL.dll
| MD5 | 4c01b3614be1f38a6d594443a547c257 |
| SHA1 | 7eaa456b164613577d0965ab5a57ba2b681a6ffa |
| SHA256 | e36da1a4228899bebe50cc5da1fcbbc590cdcb3ddee0b2a19defd99a805b6ed4 |
| SHA512 | b72fc071dc791c63978465a68c9a4904d5f1c458d302bb710e83576f20ef928d73c487248a305bb455990c2d8a6b894ee47d88bca6bc92360f286849ae1a1257 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\icudtl.dat
| MD5 | ffd67c1e24cb35dc109a24024b1ba7ec |
| SHA1 | 99f545bc396878c7a53e98a79017d9531af7c1f5 |
| SHA256 | 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92 |
| SHA512 | e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\libGLESv2.dll
| MD5 | 9bbeb7b27646442c8bc2d202a73516d5 |
| SHA1 | a7f7a52dc45bf130581953e07ce9b9851cbce90a |
| SHA256 | 2b80817443265e7979b9a77075492e8e29be3ba775d20f646cdda391efbab21c |
| SHA512 | f9826e43f53bb9b906b5c62ff2502d4e8dc3ff99b72420cf313a5811061cb146651cba3b8f864f34dfcfd51c6e3b39a0a640719ef94d7696bdc4fab7e9d16785 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\LICENSES.chromium.html
| MD5 | f017c462d59fd22271a2c5e7f38327f9 |
| SHA1 | 7e1bbeea6ac2599bd0f08877aa5811d32f1aceb9 |
| SHA256 | 40f314c778851106918aae749d75b2d913984327602a1bfb7ef0cc6443ff2a37 |
| SHA512 | 72177281486f6ec26ccc743b43481c31470c7dd53f17b0a67ac087dded190c2e3dde5570260150c2e9650186a515740af7f81e31965c95bb762340f9ac100c07 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources.pak
| MD5 | 7398d5aee46689f03c278c8954f68f2b |
| SHA1 | 62e10057cfb2dc53c62d088d4fde3252d1216d86 |
| SHA256 | 9590361aa74c43818881e622f2e3b7992c978397f7ac269f37accb435b134fc8 |
| SHA512 | 1d6ae4cadd302fd683be66016cc4aa092bfe9689b81e1a764512327983f558a7ad9a10aadb7f8e13b73949d648d0e14ea0eb7c2de2420353a46e44c6b647c652 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\snapshot_blob.bin
| MD5 | 0406a232eb55e516dc38b4967671846a |
| SHA1 | aade7c03b1ecc81027c98a79285687bc19276fc5 |
| SHA256 | 4f944691b7066ef5653cfbf6b016488f6e5f0afd2d6bc03b90de5485514f83f5 |
| SHA512 | c608095510f88348e1e412ef573e4aeb4a7d328dec2892bada688a06baa023fcea1cc0dfbba6f6c41de303f3b6d5e1c4335a2610f3ec47a690e4f309f8782359 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\vk_swiftshader.dll
| MD5 | abd993f23ed3c75fb80320a10451dd66 |
| SHA1 | 95b13400418512870a37a4e59ecc7dd9c467df2b |
| SHA256 | 52c64e3bd5f852f7c2628bca773bb5a270ad40f5e31bcf8429323cb9fd1bd4da |
| SHA512 | fe98cabf2e3500d52b09f9869f3ceab6c7ed8fefb7fba56eb62a5319053ea997881112abf139f2e642210eb4b61d5a726b8dc41d4565b81faaeb5d64a00e6267 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 3eef488e8b9d35f710634c4d404c7e1a |
| SHA1 | 971c730ccfba2db0fee379683f4e310df5c9f1df |
| SHA256 | 3a189b50da4b31b5af6cdfdb6398fa039ccac9e13898e4851b27c4d91f4dff6c |
| SHA512 | f787b7633edf75905674c467f7c291a2b3791a8475b11e1d4fb1769ebe872c6b70d778124c22a55b96efe2ac443c82750371421ac9fe8f2cc8bb47ce0e3648d6 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\vulkan-1.dll
| MD5 | 0b95f0a5905c4075a3fbef0ddb71e915 |
| SHA1 | 72a4536da15d5d9e1617331d8e4a5c5a579c75b3 |
| SHA256 | 03b808d8045ebefebf2e2847be039358f7ec1db63e1c601847b8cd304c3db448 |
| SHA512 | 9e57eeaafdaf0b5516822d1ca7ef1995442a03677f856828d49ccc01ab8492245d8659eec7675822fc8610ba250e49a6f3c8569aad2a324cec83e0d6b5201187 |
C:\Users\Admin\AppData\Local\Programs\roarkaot\locales\af.pak
| MD5 | 09455048c30cecbb17d6e0e95e4c01da |
| SHA1 | 6572850b07df45933ed57754f72c44895a7ef662 |
| SHA256 | e973763dcc0ffd7a5afe0a62ec9651c4c3db7fe29a23797fafc34b83512d03aa |
| SHA512 | f59b68c213815ad81379c964abe6597b900b9fac5fe17e2cb378d015c4803f96b598ef70333d594599b3283a88a9ca9cb2475afc2590eda2ddf7b041ba2368e3 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\am.pak
| MD5 | 1c47cbc228940f5c645f2fd77602253e |
| SHA1 | 474a5006ae9ae774b5d420c2f1fb0d0f2ff36afb |
| SHA256 | 5245154c986ca89ef53a24a4246345e3db01ebe47219f1d0772935b03e81e37b |
| SHA512 | dd4e7c1e26759001ab1ef63f93e847e2908c78d943c7546c88e1988d96a6625f9de9e0ab8b38af4c7b07202e1a5488023cc3429075de6c9b9394307c88442673 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\bg.pak
| MD5 | e1322b5cdbb96d2cf4a5fa5993c2acc6 |
| SHA1 | e813a5685b1885c2788c4826a8f8659493febbf5 |
| SHA256 | 39707fb80e38e9404accac5f12ff1f3745589bd80b1586e2208b27c0c8eafcc2 |
| SHA512 | 2c6e766d671bc4ac772196e40b818039fc88f02eeaa59f78c78558e5e2670c1fb7fed9391684160c0af5a92acf8991533b298b5aabc3919c706f23f094f2ac15 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\cs.pak
| MD5 | 709ed2e9426081c9e86d9abdc74b44a3 |
| SHA1 | f55fc17c8b9bc5f09a539ecb8b995c1b43fc4d25 |
| SHA256 | 6597d0dadf724999741e0f24953ce9be02c8b98ecb8a382115b205edde87c160 |
| SHA512 | 992ba983cb8b24bf0ff190715c5845f34b13f17227486350fc736c872ac8f0b21347f5f6d13e2e204e928ec664e283ca65b65f72d9910725f55d737b6c5fda40 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\el.pak
| MD5 | 4009c890acb9b81928e6e1a4b593dd62 |
| SHA1 | 83083e9c948ebba18fa990e230ee33fceae43cbc |
| SHA256 | 897b6fae230e6a3cd14e16eb537f96d820950f5a4537fe146a732ab028b7124d |
| SHA512 | b4c87024d3cd612b8af6f73b31853936614f4315ba9a48b4687120dc64e1794c568c4e074e41ae6f8dedeab61484e145dc0ca3bdb95482fd85492fddc26ab6ce |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\en-US.pak
| MD5 | d47cded365a28d27906414035c1cb3ca |
| SHA1 | 429123c86f6ca48a89bedc9a26027e01508e6db9 |
| SHA256 | 46958caf9847e33a11593ad024d5a95cc696edcd4620cf07e7b2b78c72b9c00c |
| SHA512 | 1a16d784913fead116460c9ff42e21ae482865cfe2d6ed1b1296496e46a05e513f8d048fa4d245e7a82ef61de4c4130696d5b1c647c918995f6877a888bd0853 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\en-GB.pak
| MD5 | ceba44242f8b24b70c9b59b5094d8da8 |
| SHA1 | 84e16c522ad397289a923e5cd4b012e2d323af4e |
| SHA256 | b0fd61679565a7649c90214efecdf6e1231a8e7895dad93452bfa1425417d5b7 |
| SHA512 | 31cd936157a7408a43dcba597f6e098499dd4c5fc011ef818ce93eb7a05c9d354229c3b2295dbc290a6d3f3600373f18f75b334ba9013a5dc0be44c82f2e51bd |
C:\Users\Admin\AppData\Local\Programs\roarkaot\locales\de.pak
| MD5 | 3a9f06d1708b7620e2639851024ed0b8 |
| SHA1 | 51c0d824bf38250ec0aae58e63141489931f02ec |
| SHA256 | 91da97794994f6544707299fee6b775745dc3891fc879d8e8a05844c6383eb53 |
| SHA512 | 08e80783de403651af208387a3191db30d1353cc25f310c917a1133b2622e4b6809bc2bd881517678e9229e6492705c5f45be3e849c0512c4a651c5b7026c926 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\fa.pak
| MD5 | e5d53b9d5756871d684d018fb0c745b5 |
| SHA1 | b00a40704c91b33c2aa0f6829ae3dd886ba7177d |
| SHA256 | 8b93023af6428322b9b13aca5da9bd395a9c4775c72b758df8eb564d35d15cbd |
| SHA512 | e722f114485cbbb5284d23f1ad1061213f40083c5da2ac9753e1416f75f7cee9d8315e6f4582322d992beb9a8cacefb607ee0b1737e3a6da775fc059a17c3fb1 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\hi.pak
| MD5 | e3b31e519b925414176ef2d9546c356c |
| SHA1 | 7cebb1c5fd9c78f704bb9e5c463f67c5426d0171 |
| SHA256 | 82fbb97e7d9634df3c806439e144cf8d153d840bad98f6e790726841a91acd13 |
| SHA512 | fc3e735f010776cbdaba1592e6f685a1fb4773ab5062f5ba9ed95d9bcab2f0ce9ab024ed95158263450fc58c3197b84e38883262a588d6d92c4e623c61b4d200 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\he.pak
| MD5 | 06e89cfa4c6f4bfb7aaead492c4f08f2 |
| SHA1 | 39d943e0eb1637cd3f5a7b66ebcd28e76c89aaeb |
| SHA256 | 6b7937f16ae53457ac9a0c18fbac68b2076200b0fc98cb781415fdaf18c49301 |
| SHA512 | 8b6d33657eda8a3f1d1bfd55135de88953d21916e72df646fec2b5f5b17e9e15849f428b0fd83143f375ada174aa953be8f07fa8ba90ca4d07dd1b859d034b4c |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\gu.pak
| MD5 | cd212ed25482d2b5a246440b62c4fbbf |
| SHA1 | 197f3616dec4fb308e0ec5a17458ef8a2d027cd1 |
| SHA256 | 0e8762ac08963088c33b74ee790df95370bbfc298bae8abfb87eb1307ef46d37 |
| SHA512 | 207d3e9a6bfbd3eb19cf53a0a300eb0172ecb872496d627ac5b55b9ea11d52f24f01393893450fefaa3c42bb481129d54e552679f2f67a2af0e117d12464601d |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\fr.pak
| MD5 | fe0ea306a7b48ee2750af3a263d9f3d1 |
| SHA1 | 877968909cfbbe499911b4d8b807a593c4be52c7 |
| SHA256 | 955de4737419c06609227c63c2fbba7c8abf497fb976c99a4dc9f5d5105afbd1 |
| SHA512 | 07978311caa9be82bd398100d1d8367c5ca840ffcc166b73aeea0bc7c86b53db13bf648decfb3f54a43b9d199e0d98fcd29fdfb291a703502369b025eccdf872 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\fil.pak
| MD5 | a96f6f164897e62c984e9a61f6c3f7cb |
| SHA1 | 3ab2a714eb8e9b57e8a39792d152606ba0ef6a3a |
| SHA256 | ff21df22f24c92a06f6bbda2c70b57e098d7bb6754988a5ada087aed9bc8b8af |
| SHA512 | cd522884b66c940d64eb1377f9dd60143ae984fa7d144aa9d83b82a006b5da2ee9eabdcf046d362b2096d8a6b8486f36a10ac9f0642bb8cfb1e7903fda4c41f9 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\fi.pak
| MD5 | 925f45e80be419aa0125096ebb81a23f |
| SHA1 | e73a32362952dc0aea997ee408da090f1886a438 |
| SHA256 | bf20054eb68d3d67d17d2a8c594d896c9c33fbbd562535d0c7e6cf6c940a8732 |
| SHA512 | 8510e2e9749b4342eb8d79bbfb983c43293f7f37d138464c96053a79685c578a148dd54013d211b02115256f174f51a74ca9155883055801bbe146053de52eb0 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\et.pak
| MD5 | 294c830b9e6667c8d5e7287cabd6a4b6 |
| SHA1 | 52f44b97b71624bee6360301e8f6f34cfa428e72 |
| SHA256 | 198674c98f10c36205161e382cc31560a4bf0de5f597a0c65f7f95777dc9bb24 |
| SHA512 | ade98fa9cc25148979f325660ed3f0f649a38709ea34b759796c4e202b3c30e76da3b8c17ecf2e1948db4a5be26af23c3a6e6b28f9445ceff68d251a5645db5b |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\es.pak
| MD5 | 070cbd6f42db1cb9b6a2f74e03d6b124 |
| SHA1 | f8830e1c8a601123d85fd75188ed01833f910691 |
| SHA256 | 91de93a4dc9c9276b9ee3ae498bdafaa55fd464c1f20fdaca84c4b79842327d4 |
| SHA512 | 2ebee4e289eb2a19a97c86d1abdc1ad53c6a76b8c1dc28fc89cfde236c4abfbb823bf52573cc0848fd76ed9e0ab2d49def542837bc5c474ca1593fb5ed10a390 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\es-419.pak
| MD5 | ae62374bc2e71d9abed6e0c1d4bfe309 |
| SHA1 | 624a8210376e11814485fe90a8825bb6ca883188 |
| SHA256 | 48bd8f17823ce0f0a6f1c9fda020d5b5655e2419634f92725ab263339d9a321a |
| SHA512 | 345794d617dd3aa200ca248566e9ba36dc846af9afe259545b5a61e787b1b52e112c7eb68bc025b0d2076790a4b77a82a724bc213fad9f0f38db6054332bfced |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\da.pak
| MD5 | 96bbef1eee0b0a197ec834839c00e11c |
| SHA1 | 35adba0aafbb4d19015e11dde1f37de87292252d |
| SHA256 | 600e02877374dc083b21deb3cc3bf6a4e3e2b2c581a631955494b0591c56289c |
| SHA512 | e1ae7ad30735b6c42f81d30d50162330603753b0ce7705506918d0bf3bf9a52ac60f8fca570cdfe87f0d6dd46cfa3064d5a1526d39d81a053571b434b1cbffe1 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ca.pak
| MD5 | 84b1e5be23e838708773d4e022f99986 |
| SHA1 | 53e411d571605a0a86a1040bff32a5e951ce9ee8 |
| SHA256 | faff0931e9479b76d2b6247739d4f934023a64bbe8578be08e2dd0eb053231f6 |
| SHA512 | 8afc396b859fbd0c03d1b7604f5cd80d41fd8e3df52ab88ba22a31a6a0df447671377f2ad0f6797682da6aa32d7c779defa1097ee140af207adc94575957fca8 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\bn.pak
| MD5 | 880e325d5643051ad7e29c2280fab954 |
| SHA1 | cc46cff349031f9036cafafd3c091d1a5ab93f2f |
| SHA256 | 2fbcb9524eba04637e3f6c2874f7fce917326ba90877e1715eae4b35f141dd3d |
| SHA512 | d16d085bd51ad267738c649f6bbfb15b8ce5ac73b838cfb7e2ab0f4c135317c358b83a7b5d3506c492f75b97edb8d1eeee9733d12c9eca1bc51012d660b9e912 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ar.pak
| MD5 | 513e6bea67200feef37fb2e8c7fcec36 |
| SHA1 | b0edbb5846b8ddfd95ad74905e890892192279d3 |
| SHA256 | 00a9c88b644807369637ddb78d9832d7137b5f1c64ca9720a36bfccea8c38d98 |
| SHA512 | fbc184640fc419b50f6b1a78168a9efb63f8ac4c151baed17b5e9b9d333a360dce109351654ebf1c71c97471917c922456cf9c816118c6c781efdee14d8360fb |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\id.pak
| MD5 | a20c777901a144622f8a5520583af79b |
| SHA1 | 3506f8e07ee301bb195eb185032ebdc7fd231272 |
| SHA256 | fd44af213520242ba41f4c9003ddeedc71f923cb37e25b14e595f3e652ae18dd |
| SHA512 | 6a53bc2f5d0e4660767d21070d19f0c407fe676b9e9cbdc20e6016e333b2ad33da225bfc2833a0c0724e1b6245ca6ee3cc0e782ac955d6aebac3dc468db79a1d |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ja.pak
| MD5 | 63cbeb056020b6ee8cfad26c7c6abb79 |
| SHA1 | 99bf018555eec56aae4b19d10c85ac506f4164a7 |
| SHA256 | aad9e17b2170b76248d61a3bac9b1bebc44b94885403ec2cc21a31397bf029b4 |
| SHA512 | 5aa4e764f06f0e8490dab89a8b3754cccdd41739b4654ac8e30de160cad335f681fa5dd7782482aaf66ff1d827ce0c34df85c23c334a35035a3a4e3d0f305343 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\it.pak
| MD5 | acfd6f4b73b87455acb703e59303db33 |
| SHA1 | 70eabbca61eb365191cd1256f3be40ea9223b2d5 |
| SHA256 | cae7bd535284f5f156c1466820aae2bcc0b0c0ba378ad0f04eef3a145deed9b9 |
| SHA512 | bfd52bc383f1f5a7d559968bdd779198c81286796564499174c3b5b9bbc7112f427e8316f78fb09ebc668c5cbf94c89c37e97abb00c9b87b5c5c108028fc549d |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\hu.pak
| MD5 | 40807c6b0eefd2a2f16cf0ac2c28ed53 |
| SHA1 | 1b416b29e59ef41e1f18b168947e42b7fa969d2e |
| SHA256 | 533ae7e865898b61ecfdec68c581b3c4858f2c3ec1fe496ab02c61db0362d941 |
| SHA512 | 487cf71df0f2e59ce1151c146651f567b624ac0e48f770a2f1da76b27933aa2bdc30990788e2dba4543a11b9e5d3da6f31badb26d7f3a5c87088c5b4e1bd7756 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\hr.pak
| MD5 | 92e6ef5db4c0191282ce2dd3645461ea |
| SHA1 | 045d3ed58a625516af741c9e2f85680fc1561ed4 |
| SHA256 | f8d6694f1c05ca259a31e0427ba7cef5b57f0c4b33493fda21003911a5da6f07 |
| SHA512 | 08b09857f173ef2a3067d60120167223b4ec7414ff6117d206bb12213ce9563c8d7923fc0ce6e7df0ea5d8ae2b3ded2a23993ab43bc46bea3c08df1bf59e16ea |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ro.pak
| MD5 | 5d5a27c52ae905fd85f5d50cb793e7ca |
| SHA1 | b858bba1ef66c4d3943be19a4bf8a508c23e6671 |
| SHA256 | 9ff47f6890b3f543bc51015f263e791d8a3bc332098f8cd8199852fa131fa579 |
| SHA512 | f4754951ff0dd3f1ec2c0859a93422330145f9e4e3407bb7f95863c85227b96d3f8af449c0a051b60f333df3695eea5df70fd5f7fe4916e60eb6f7c4c21aa5e2 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\zh-TW.pak
| MD5 | 9c51b828271263d574382077abd2e2f3 |
| SHA1 | 4de07caed06477855e4f4bba1d0d1178c5757171 |
| SHA256 | 21550464b12c7f9b23380acf7ca2b42c1b578581613c342196da95908f14c8af |
| SHA512 | 0e6921dbc4be8d5d98bf80e9b0f8c7fc31cb4e7553ca76b9c697a3f1428f855e59ee0dee99903a5215dddee9375532226af81128f066656d98db28a8d9738604 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\zh-CN.pak
| MD5 | 5356bf9ddeb7ffad20e27ef092dac528 |
| SHA1 | 3514ded7211ff71297c87275ef0805588da2d47d |
| SHA256 | 0b6f0a9ded5734b260c1c02d7c717305d139bded5ec7ea80de40b641f13bfe0a |
| SHA512 | 887be5ed95b40d73e0f61f4b3e85f8a77d4bf4a222197b9d1c60711ae8481efbf9c183ba902dcbf437fdf70381bd232fe9c27cf0ce87c0f45b283b75b6d19962 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\vi.pak
| MD5 | e6db9a8c61dc84aff75efc00b486a8d1 |
| SHA1 | 6d1f0329f9a44b64fa3474313c7bf207bfd78557 |
| SHA256 | 8ff2d05730915c1b15a97a3915c03d83239c34771ed661ccac745fb308901f14 |
| SHA512 | 89cf188b5d21528166353b29986f5afb9aad9a51a57864951f7945124b157e0129125caeed58c70568e38f7ba3a34a17d10056902b58ba48ee2e4e10a4649f75 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ur.pak
| MD5 | 157117641502b63c89110363dc7083b2 |
| SHA1 | fc86039a03b2e48fafc70e1cadc096fd46389af2 |
| SHA256 | fb7cd2f4beeceaf445f4d299a3db26cce49a7950a37e5a9b48fae7f5a8e09f99 |
| SHA512 | 422d92c5f0b2b2f9f35dbb7c11cd1b463085201912948c61222bb4f43f8dfd777fce678f04371df53ab6d07ec14cfbc9e4b1b084a72a0f2aa80ca7a4728e6359 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\uk.pak
| MD5 | 7e2cbb9d3591278a76dd08364d3dad4d |
| SHA1 | a760a029070bfe57d4ef273b705650cef0a92f61 |
| SHA256 | 38616b5f7f939a84d5205e758a8d3fed024a8e3fbcc8159c90666ce650ae1d30 |
| SHA512 | 81e5ebada5990d79363e2583efdd3ccb19d8a10291cf6680d77d7c399816fe273a4fea5a7cb5e55e11f445df46a7ccad2942dc04f4fb8b6f66d2f2b151374de2 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\th.pak
| MD5 | 77721a07831a7aef49934706398559cc |
| SHA1 | 240ac6e472ac7312f02b99a8d588813d3dfeb468 |
| SHA256 | e8cdabe4557192a6ad7040de396d807f96f50d6ef256dd04972211b9c898bc1d |
| SHA512 | f73be17166c7a94c216d13d837146c3c72a5e205688479ce8199c8cf468eb1bf780f2569d42e908684f0059e6ded370428d9b123389ad2cf1553a0aecd1ef06f |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\te.pak
| MD5 | f0a8ccf00882e83751fd666876c937bd |
| SHA1 | 6fd5045a20bdb912f61dd38f4d046b333bfb03c9 |
| SHA256 | 65ce3f1fe059a8d8b67cd47485233c6ab3870cfbb313241fe0f24e948bb0f158 |
| SHA512 | 8ea9f2215ac8354378aff1717ef6f1ba97ba8bcc1c660290d8a070c9a7cb9b0e1a87b8e37e68cd71d7bd429adba8b17c6cda68508b7389e42841fbe2f9c79528 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ta.pak
| MD5 | 22949a4acb6639bc4fea591bde3f6cec |
| SHA1 | 672163723e294a5242e9654470e1efbb3e8aa0a4 |
| SHA256 | 84776412fd7f2cff26713781be937bdb30352f9c7eb297ca811241e6cf4284d3 |
| SHA512 | 5e3ee2d29eabfc4398b0f9784064eb03b3c3e13c59f4fb1b857c612727eebe1a4a1bcd76503b1356cf4b4d407431a643503d9068f61f1ed05041f3aad325262e |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sw.pak
| MD5 | 912db9e797ea3e277f18e72173f26ad5 |
| SHA1 | a83461503becad16ea0d33fd5501603688a65ed5 |
| SHA256 | 89d1245c645cc26d67ac0f556734ebeb99b436cf19edd3cb3b220e78a87796e0 |
| SHA512 | b5c334b528ba6d26dde9b4b1100c01bd1675cfcc7167a9bab4d9fb95584ae629e9567ab3a4729776fbee22ca927d42e04fa016cf3f9fe510edfdc340309110ca |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sv.pak
| MD5 | b75471d16a5b4cfbb43ea86d3077e63a |
| SHA1 | 302958743c97218d13a72ade3a22e4181922531f |
| SHA256 | ec0f43dae8e52169396f289dfeb5d49b7f9258bafb0ed3060dd652fa744e5264 |
| SHA512 | 63556f738df1527ad96cca95f3e37934b054df83cfacd4e120745ceeb0536d4bc1919c66acff3e5253a62824c032ae7e8f9496df13b9ccb6fe00f67920a63cb1 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sr.pak
| MD5 | 5c811e0c9b775886bc11b46703cb67a0 |
| SHA1 | e9a777cc72263c7e7c4bfaa36e41b29e405a2a18 |
| SHA256 | 4c524e149c02c37034ec92dd90f20f463413f2650ac9f32d52ef7260f9a34f1b |
| SHA512 | d7db44fbfff3e3204b92aff44dc02c184344853d85fd79cd962bcad8efe85a13d1aaf9ed69a6e81fcc6e690afa4b1ba7cf1764225916f398c0f960d56e5bc57c |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sl.pak
| MD5 | 48ead6e0160cbc6cbacb247cd3643110 |
| SHA1 | b39a91bb90f26c74dbc9fa28b257b705b54f2b81 |
| SHA256 | fc4cc46ff82cb8a41181e825a3d4e4508753fb68ff01a60486b7df4a4e11e89b |
| SHA512 | c037d352d315805a18796a121e47c73d37d68e735c9334e11b393235ae75b803cbc03cf7cf8480683bc68c9b98fba9f5a7b045b650598e5d9367ab58a24e75f1 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\sk.pak
| MD5 | b7d16d6702d4b4b5d3a9e4c3e0e13eb2 |
| SHA1 | 6b2f1591ec51c4a7cf1435fbec7b5af94e0b5d4b |
| SHA256 | e93580dffc1715edb37965c5787048e3e282d0477f277668ca7f49cfda7142c0 |
| SHA512 | a09950a9bb3f9814d946857e32901a9b6d73b4862a85f00b7f1f035ce0cab5af4ebf3aa003731ffa8ccea88d71866ec01d9ce578fc0b13b3cfdd3df332a0c40c |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ru.pak
| MD5 | 4ec91cdba9839e214ef7c008775e9e6e |
| SHA1 | ea9f0f22ee1bca09ac38c01300cc91e2fc8aee51 |
| SHA256 | 64f069a34be4966a9c28361e1c4914ce23bf96faa3bb5533fc3d233bfeac5cc1 |
| SHA512 | 8c49ca910bfff175a4d88778ea34437a5acb0d52e349160f31091bd33d8ed76524950fe3e0f508c243ed76b289a550291ec68a7e0c1c426a64fbff0579c94d14 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\tr.pak
| MD5 | 41bc209ee64f56f04836fca3e2de362d |
| SHA1 | c019805b555d4c24c347112a583ac9f9bf2ef142 |
| SHA256 | 71356710c485d7db228a866789ce9d253276725d94a4e4622e7b82037beb9825 |
| SHA512 | a65c4f9147c5796567e61b0661b4766c199f156541a252ec442fe5b5e3e1156c80e8fc7cfb6d9e55db4c5f60732b55cfa74a65e7dc46fbd5a4e5dfc8f3891add |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\pt-PT.pak
| MD5 | fbff8ba7e31acc6c26c0e4b7277cbbd0 |
| SHA1 | b9acdcbe2f0f429474acc4dd883d668cde9d3165 |
| SHA256 | 477d6666bed083b27335a479c71279ad41a674f7b6a412ada1bba18be542ddc7 |
| SHA512 | ffdbb2773f18038f5d4cf145f3311feae25110ceb8efd9c895267f98acef7e901dd7d843f7c5291cd333fc81b80da301d0c92e5c0d6857da7e4eb68a5a0c540b |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\pt-BR.pak
| MD5 | 0711b3f59ac95761899b013b3b242c93 |
| SHA1 | 73fe7a4f60a6b92a966f1177c71bf85c6f95004f |
| SHA256 | be445bfcd9429570e5006063b1c8299a41e762e8e0c2b63551bcf16cb6fb868b |
| SHA512 | aad5ff84d1833db418a46961a5e3abd040e19e5a87bd6763039f8db7dda19c3cd9d7ea862585080636c2888ab1a50f2ba579cbc0ca0df8135537f1cc7543882b |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\pl.pak
| MD5 | 4003c253ef85ec0ff8a65204955994b0 |
| SHA1 | af3074fb622445f6429899cb33a33bbcc60e5e5a |
| SHA256 | 4db10dace60cc56b610a7f92caebf4e7e98ddcaf8dac4f5a87db8f750f51ef8e |
| SHA512 | 5624c8f6268c8a8dbf1a69a032ebb89e670685cb736a3cb42a65e2dca118a85e076818b58ba2e392991eff7921495167616107f402c841a8456b5b5888b70ca1 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\nl.pak
| MD5 | d7048d029ab3ff807dff790113328574 |
| SHA1 | 07872f608062aa482532edda0dd2e1de31669380 |
| SHA256 | 0e9c114529b9ec20118bb96ffeea05d1a408e4eb621e3fc65f49353195d1af96 |
| SHA512 | 050b0eacf5b4da024d1a2af54f3511c4671756b0dab3f961d8acee5d1695eb29fba7768246dd5b3bcc253136df97e49a305832c37943380dc337776cb1fb1549 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\nb.pak
| MD5 | cf18f58e8e4e37b2e5fa7ef8269a294f |
| SHA1 | c60d6e84f5cfe4cadbf4efed9b5998307b20fb9f |
| SHA256 | 3f1ed8ff0207c678b6a0a98e82fefd6340e35b7d16689672dfa90d9ee63921c6 |
| SHA512 | 8f336fc50943d693ee80475250d2dbfc1401c615da571115f2c02551959028125b91ea6ffe22171dd12241688703e1869402146ef4e85a46059fe022759da953 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar
| MD5 | 3b2869f88147288c90b1155d46f2d04d |
| SHA1 | faa43a7df73900a5149170693719713f702f24f3 |
| SHA256 | 8c800406762bcfc40932a5f55c99f5cf90af8eadf09283c06059c1c68552d9e8 |
| SHA512 | 7b8b405342b10b5989966b40de5098a67a90f2380c37d457793ebedf677a27ef1bd5789446e9f695dbe6500ae7794791d4a9c144b7488ae32d9f635e0a1096f1 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ms.pak
| MD5 | 06f24bba6fa8e9a009b3062227d4c259 |
| SHA1 | f50b0da2a86a138d16022f5642d96ff1a3ce7568 |
| SHA256 | cdfcbd86ddf584621bb2966c2d43f18096f974edb795cac0d1db43a60f3bc24c |
| SHA512 | 02239741f103c8b63072abab475ac313cb48612cac36890b7946fd816028fcba9be7ecc17ba5b934016d8817c52855ef208bffe5191d0eed35aa5243527e2150 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\mr.pak
| MD5 | af7c7d72a968e1936f26a3c755157f6b |
| SHA1 | 2ec71950847f5fb4b85697b6acd05224c28bb092 |
| SHA256 | e5702b9578435abbbcc922f1d4ff8c5a345856926c2174c329e228987c3ac7d5 |
| SHA512 | d265eeee96adafc3ced76901c9263bc1cb349caf925a02d5deb010c02843fb653a17e1e8a4e942c9912f654316c4a7a1776e6a7eda56ab82ae9d4d077a58a929 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\versions.json
| MD5 | 71b6f79d28fe95b4e63bbc509ef50f42 |
| SHA1 | c44a2b2fd2ccacfead347a4f47bc150356118979 |
| SHA256 | 2c9ea5e852f8339c7ba4c6577cf6216a29d9c45f7c7ebe46bc0eb4f9750574f9 |
| SHA512 | 6bb14d063fe0ad6e2419b07f8852dca298db6c253b701c8995506b16ff946ba6ce7d136ce7744b92d544169488ec3a3ed110d2347c0c82e2413f7ec222b38af0 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\package.json
| MD5 | 8a6d6bc233909ba6af13ac6a3ff3a0cc |
| SHA1 | aa13757b831c934f625f8858dc4dd643a08c67ff |
| SHA256 | 778a81af264b8dd8cc2c593016d07d88da00acf6468732c8b4b55abbfb8e682b |
| SHA512 | 8dd5471acac5921d9e08b2b937fe1bb09ef49f0a885ea3ff7369127476bf04065a977e2fbe7a26e52fb0ac87eaed4268e782fb6a3aa393200de519c9257c446c |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\LICENSE
| MD5 | 19cbd64715b51267a47bf3750cc6a8a5 |
| SHA1 | 172ca3bbafe312a1cf09cfff26953db2f425c28e |
| SHA256 | 73ba74dfaa520b49a401b5d21459a8523a146f3b7518a833eea5efa85130bf68 |
| SHA512 | f32944d2f94b018f42e0138eb9a1b7df3145beb1c7215e3c0e091bb07a083e3c23c379d47881da00a51e244d9c3708119aefd1658c988c1487923c7ba932c246 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ml.pak
| MD5 | 265d7fbee9a021895d51209dc0181f90 |
| SHA1 | 30e37013971bacd3ee93ad2fca01cb59a26d6a87 |
| SHA256 | 682463d4a0221711e565ecf409893536d727650efd2ed0563c722cceab66b1ad |
| SHA512 | 028e1ad499b20ff7cda822b91f9b8d1cbb1efe108b7236d817b73a6f8e518b5f4a8ae77d653ae5c9d799842eaee3915250ef56f634f847fc5fc8a3b36eea176c |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\lv.pak
| MD5 | df9985ecfc958f343ab7e56e71149d71 |
| SHA1 | fc0d2c4a194d500a1f4cfafcd9102186016ba5a3 |
| SHA256 | 7e17246e23ca2d0241d56d91b5d5e6bfb3ff4e08f1a3734f9d032b4191282fa2 |
| SHA512 | 0dd65eed7a5bccee0ac5e2826f0cceed848dff0d0d41904e00d35cec9d96fc0b91a4eb54fbcf0bbba61f89848562a606f9f7aa827cb180abe7e97a2e77a29309 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\lt.pak
| MD5 | b02bf54687716b5d5f18aee02411a980 |
| SHA1 | 4cf766077382c49fb89d59d861de0f482f989798 |
| SHA256 | 0b0e3fcb82ddca52f9eb1ff9e1ee224639ff81f1c0af6ded4e21944811babc0b |
| SHA512 | aea879ac96a5719e8988011a7b82726bf51a24e170e260182146191f43914cd50991928d2283277d173ad650f7cfb1246fad9445260e9ca0769052079d431f25 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\ko.pak
| MD5 | 626e172ad9b55ba0a1e2802ce5e10d0d |
| SHA1 | ecd855a47448609e8e9d7bdd80f92edd494ca77c |
| SHA256 | 7111342770c33aaaffdd6fd9ef15095a6d89e48d2468c19172c0eb9b6f26ebdf |
| SHA512 | d42594259929e35b763e71cb7022d34a11bf75a4b9bb058e251cbbe8e80bccdfb284eed1c6367f98e3023134c24d50542c64673d80e29230fdd057de70a10d5c |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\locales\kn.pak
| MD5 | f4c1e83eabd580c0b4c63b2dc510ce6a |
| SHA1 | fc1d9fed0f073504b022606e424e7cc9796648b2 |
| SHA256 | 79fd72e764a1d8ad623892e563e174463f29d6ce61a2ae29af102d71da4b8e25 |
| SHA512 | 927e6ff4c7d1c28c89afdf44c62643740a94b01e9f6e927e543834c833e1b4abf97de1489c6717f9054243c180474fc695a70c4ea8852d95c690f38c785705e1 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-cpp.dll
| MD5 | 86bf2c651e8cd92b2fe72717c1603a5d |
| SHA1 | f4986ed8279083237906307346596833eac1e713 |
| SHA256 | f7b1d8dc48b836ce4a2bd1d50321625bd920245bf0fa4344db885fd45388f7b2 |
| SHA512 | 38ca4fc5bbbebab6cc8c065db2c799a948887291f84283c5fe094a2e72d39c37cda23a866110969b7e4b5351e7f64c258ee9b8ed7d1ba9660ecdce00654a4644 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json
| MD5 | f9560f0fb25f1dc014682359373146c4 |
| SHA1 | b19c6321292cc63d26a18bef5d80787c5e57e746 |
| SHA256 | b145c00c63dde4da0eb3736b0d25fe79fa252a02daa9c3fdbb2d3a5783e98cf6 |
| SHA512 | dd51dcca43554f27b2718f87661cdfc86e6a51b36c15574870d793fa358f76816423c0ebcef34dd9a7fd7ce42e6be18f834100a327cdb3e6eb8dbd9d65792262 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi
| MD5 | 92c4c5168a6a883f2a69ea4a1a37b7b5 |
| SHA1 | 6dedc03d603631c1f70c626f5ef9d8ee6f342efa |
| SHA256 | 7b557c097c162c9ba04985ab822f92a176bf848c34ca38e54f061057ad0d8bd0 |
| SHA512 | 904e605fe5bf1134031edcadc91ed55bf72d7fb1c862f99f25a672d29fdb34af22d4114cae389a853d703bc35bfc2c8429f86608fed5eec897c115ac3dea8de5 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE
| MD5 | 79558839a9db3e807e4ae6f8cd100c1c |
| SHA1 | ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2 |
| SHA256 | 7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c |
| SHA512 | b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\sharp-win32-x64.node
| MD5 | 1b516fab2c5e25b0bf6bf3bf3a885525 |
| SHA1 | 3c1bd2ddfaad46775ee6df5ff07badbc510d1c10 |
| SHA256 | fe184de118aa33421af89c43c93131a3a80027413e98b466ca56cb773c617e92 |
| SHA512 | dd5977b073dc3c6f05c7ef2506b7f4dac2410a1c729e4b7b42c4c5c31b1fa3776d2a1592139966c63424ef33ca685e50400617775a162277a9407b8ed97521f2 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\@img\sharp-win32-x64\lib\libvips-42.dll
| MD5 | 387b5dbed94e434a6723e38203a7d2c3 |
| SHA1 | afdc7eb5d080e2752dc63bbd3f92d056579a2827 |
| SHA256 | 92076cb17f3b11bb864dd103b4d8f5fb7580fc63c13a417b58f51dfa50ac7751 |
| SHA512 | 241a92d2be10668dd7e50945f2852a75e2fd51131604996c4567b316ed9bf0d77af6e3cacdaae40bd0c9c7dc61b5d8d5e7cd7f2aecd507c4a9fd2fa19973832f |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js
| MD5 | f0a82a6a6043bf87899114337c67df6c |
| SHA1 | a906c146eb0a359742ff85c1d96a095bd0dd95fd |
| SHA256 | 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74 |
| SHA512 | d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3410100.tar.gz
| MD5 | c6d5034cf39232299ccfdf8e3ddc5781 |
| SHA1 | e77599a2df4c5b114c942ddba4483550d8982bf2 |
| SHA256 | 4dadfbeab9f8e16c695d4fbbc51c16b2f77fb97ff4c1c3d139919dfc038c9e33 |
| SHA512 | 6e6dafc35b8b11df3cd3bea48aaf84a102893242cffbe18eb7b111791563095111a2a8a5632636b8f46523d98d16e2b48dab79ee6707a141b22c2e6fde3002a2 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp
| MD5 | 0e4d1d898d697ec33a9ad8a27f0483bf |
| SHA1 | 1505f707a17f35723cd268744c189d8df47bb3a3 |
| SHA256 | 8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd |
| SHA512 | c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js
| MD5 | ff6a0462767c6bf185a566f4aef65ba5 |
| SHA1 | 7a3c3ee6748d00fac6e51e366518bb48a41794bb |
| SHA256 | 049b7b1b10417274be6c3e6a9518ac364729354435298d70abf834c35e8f3bf3 |
| SHA512 | 088d706f5a18323128547b0f126564fb7fa7a36dc8365ee8287663b2cb63da2d02a991bc5cda19af24da2aa063357c25f21347835f9a8aaef341b33bd21127df |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js
| MD5 | 275019a4199a84cfd18abd0f1ae497aa |
| SHA1 | 8601683f9b6206e525e4a087a7cca40d07828fd8 |
| SHA256 | 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973 |
| SHA512 | 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js
| MD5 | e5c2de3c74bc66d4906bb34591859a5f |
| SHA1 | 37ec527d9798d43898108080506126b4146334e7 |
| SHA256 | d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f |
| SHA512 | e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
| MD5 | 3072b68e3c226aff39e6782d025f25a8 |
| SHA1 | cf559196d74fa490ac8ce192db222c9f5c5a006a |
| SHA256 | 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01 |
| SHA512 | 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h
| MD5 | f023c6c0baf0411cb6eef0a7b2baad13 |
| SHA1 | 748b78bf3ed5adc11e83f705033d8338d7eef2b5 |
| SHA256 | 8c5bcd084dddab2f2994b6cddc9b69a8f78a1034588b765e7bd859f27868fe43 |
| SHA512 | 08648cb37c0284799bb98fa2eb1abb508c8b992b43425203839e1e7f4092b7d2d7c83f6419417281ae278d3d61ade0b65959cf12f0c449a9688ee97749593dad |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h
| MD5 | 283f3987e0e65dca1b029bdbb625ccc2 |
| SHA1 | 285d7995459c11a47e13834ae3ec0167eacf7d01 |
| SHA256 | d3956cdbb650e1ecff8c94fe4e8645f80e10088156d409703c19f186a9c41aa8 |
| SHA512 | ff5c21bd53bf75b33a5430d1abdc8a8649af1535ec02aa5fceb91ed1189e44f0818e25556946d3ad8032b077fa30e73503464aff219b42cbace1ea3f97acb605 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h
| MD5 | 7fcbaffdc03bb5164fbb27f8552dcf5d |
| SHA1 | 590e3430c1dfa30f241d56ea01f364d5b9e7e991 |
| SHA256 | b6e86bf43d74c8ee2c2f57eb1947be6ce5d8c258c4866609571ed6c97b58b53c |
| SHA512 | e44d4850651e0e070d3f686db3d3797632121e32dc65b869739c0b45cfa13c055fc42d650f04c41915264b8772fcfeb2a38148b9fbe21a001af5a455854336b5 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h
| MD5 | 592ca8ac280135c059c9ed651ac738c3 |
| SHA1 | ac8e8b5e835ea2810a443df2a57f3bdc3c60b2c6 |
| SHA256 | 8d1afb5d27eab8302de08aca87eb6edc1b99ae963a854d3bd652a4fc61cbe3c6 |
| SHA512 | b4e317200e3cab4dfac93e684150d21f7dd89a656f8a9f576b9cfb22090e8db6c458008a4a1406121fabdac034cfb80200a740d0caf6ec63fbf71ad2fde41029 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h
| MD5 | 55a9165c6720727b6ec6cb815b026deb |
| SHA1 | e737e117bdefa5838834f342d2c51e8009011008 |
| SHA256 | 9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f |
| SHA512 | 79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h
| MD5 | f2a075d3101c2bf109d94f8c65b4ecb5 |
| SHA1 | d48294aec0b7aeb03cf5d56a9912e704b9e90bf6 |
| SHA256 | e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36 |
| SHA512 | d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h
| MD5 | 13d7bf3557e57ef3036bad68cfa8faae |
| SHA1 | 94c1af952f38e9f1ad2d722ec3a063fbe666e66b |
| SHA256 | 2c99d9cef21876db64b610dd9baba8de1f7c94028d6d1c463eb3db213745b3bf |
| SHA512 | 63e4543833d602b0c6ad9c21438e61782c252a5e30b776a9c942e1ecc34c1a7c471a39195caa20aefb072add66c83d99af902d620857d18ddad196f4f207a161 |
C:\Users\Admin\AppData\Local\Temp\nsh982A.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
C:\Users\Admin\AppData\Local\Temp\e63441cd-52f5-4eec-9ba7-c57ab035553c.tmp.node
| MD5 | 53b6a7be03e007f075621a6369eb4c37 |
| SHA1 | 36028d914196e852623cfe9f133c75483ce65897 |
| SHA256 | 06980ae4b6f32420f58eca7737c27532b345b058eb6aa8579acc3fcbe46fceec |
| SHA512 | 37f39c7dd0f591c0d2e2e0b924e64f3bdc7d56367e4c2a3cb37e688e57c9337eb9036bea3af2a0e40f685c5931d589bfcebeae23fb39707a8d2781d30ad9977e |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2o43sky.u2b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2776-974-0x000002B14F560000-0x000002B14F582000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8740e7db6a0d290c198447b1f16d5281 |
| SHA1 | ab54460bb918f4af8a651317c8b53a8f6bfb70cd |
| SHA256 | f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5 |
| SHA512 | d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ca1082427d7b2cd417d7c0b7fd95e4e |
| SHA1 | b0482ff5b58ffff4f5242d77330b064190f269d3 |
| SHA256 | 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f |
| SHA512 | bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240729-en
Max time kernel
13s
Max time network
17s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 220
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
53s
Max time network
60s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 1704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 1704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 1704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1704 -ip 1704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240903-en
Max time kernel
9s
Max time network
18s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win10v2004-20241007-en
Max time kernel
59s
Max time network
76s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-13 11:29
Reported
2024-11-13 11:32
Platform
win7-20240903-en
Max time kernel
13s
Max time network
20s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2544 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2544 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2544 -s 156