Malware Analysis Report

2024-12-07 15:20

Sample ID 241113-y6ermssjdp
Target XrayInject1.2.exe
SHA256 599eb6a50a0c7b170a6d7736433cb408c7f935448efffc6171ced9ec5d25f690
Tags
execution discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

599eb6a50a0c7b170a6d7736433cb408c7f935448efffc6171ced9ec5d25f690

Threat Level: Shows suspicious behavior

The file XrayInject1.2.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution discovery

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates processes with tasklist

Unsigned PE

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Program crash

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Enumerates system info in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

122s

Max time network

133s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@primno\dpapi\dist\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@primno\dpapi\dist\index.js

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

119s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2560 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2560 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2560 -s 80

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\Replace.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\Replace.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

138s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\aclocal.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\aclocal.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4904-0-0x00007FFA10103000-0x00007FFA10105000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxe10ph4.emn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4904-10-0x000001E3CC940000-0x000001E3CC962000-memory.dmp

memory/4904-11-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

memory/4904-12-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

memory/4904-13-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

memory/4904-16-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 1840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 1840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 1840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1840 -ip 1840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

160s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 2264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4504 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe303346f8,0x7ffe30334708,0x7ffe30334718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6313773808628162533,5587159570994520213,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2740 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA1 4d16a7e82190f8490a00008bd53d85fb92e379b0
SHA256 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512 d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

\??\pipe\LOCAL\crashpad_4504_KQWLXIPINHGKMQDN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e55832d7cd7e868a2c087c4c73678018
SHA1 ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256 a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 58e19300956af35cc5a548896ff83035
SHA1 d329c6472a5dec698429318716356fa2d2dd1e1a
SHA256 958c12f8162465592274f3c8ac2c099a8b55b731a8ba46a6677fea828d4cc52b
SHA512 8a4bcfc068787bae4e8d067ea65784bcb3cc11591f11145a03e7722339a4f075b86d51db773502d4111872b9c6efba0dce7c3a82d3c370d6b7a29822e5080fc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 77c9ca58a43dc0f830425b599db87512
SHA1 393ddf9eb47480fd1a79b01e9f23a1b71d4392e4
SHA256 11288695cd24ad3d89fbb06c0fec806ba78dc60cd77e39b3834a5d78ccdeec05
SHA512 e7dc2529b79d00ec5a0342dbdc21b1e0265f157d0c301df5390efada8d98a9a101f2c382aa8c39322a7d7da516e52610cd2bd55c76f9241081406ae40bffdf55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 607d1bef9629e4eeff0a395f81473900
SHA1 7421dc08cb22ae6643f167ca3fa2e1777440dfb6
SHA256 f31485d022bf1bd6b204d77e7cc3701da2f40c7ef5ec4c05ebd1095c5c410e1c
SHA512 723a3c969e19c67a5a4a9e5380bdf1f5aa2379d3b1ebcbbd52b243d104531edfeead148ea5922b65b1ea0e1ae43660711b5eeaf669c96b2cf212c5b1cf6b5d6b

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:27

Platform

win10v2004-20241007-en

Max time kernel

3s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2504 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1492 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1792 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1492 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2840 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1492 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1492 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 4752 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe

"C:\Users\Admin\AppData\Local\Temp\LNpSUHD317.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "WMIC csproduct get UUID"

C:\Windows\System32\Wbem\WMIC.exe

WMIC csproduct get UUID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell wininit.exe

C:\Windows\system32\wininit.exe

"C:\Windows\system32\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsz0edsv.pm2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1548-15-0x00000236F9130000-0x00000236F9152000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\configure.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\configure.vbs"

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\tea\configure.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\tea\configure.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240729-en

Max time kernel

16s

Max time network

16s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\aclocal.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\aclocal.ps1

Network

N/A

Files

memory/1656-4-0x000007FEF66CE000-0x000007FEF66CF000-memory.dmp

memory/1656-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/1656-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

memory/1656-7-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

memory/1656-8-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

memory/1656-9-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

memory/1656-10-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

memory/1656-11-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

memory/1656-12-0x000007FEF6410000-0x000007FEF6DAD000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\tea\configure.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\tea\configure.vbs"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3112 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3112 wrote to memory of 3368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3368 -ip 3368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 220

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

88s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:30

Platform

win7-20241010-en

Max time kernel

7s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3016 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3016 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3016 -s 84

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

120s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB3769A1-A1FD-11EF-BF50-D686196AC2C0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000f760544623dcda43745630d393114b096048f38191275567f24424eb0c1c1658000000000e8000000002000020000000aa8f4fa79dd1b82c53db5057f877dae625fdf21ae4094de4d6fd7abcfb751f6f200000006bd5f421902c313ed4bf1b8773ebcf3828e410b0f367773cfc95371b7b57615540000000793d5cc269c59779b9d436fae49d123b1fb9089ed3a04879c30e39e8b03a2e617229cb5cad79e20279bb1d97d92c197337bf70d4156713c937e9de79380cd69a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000035bc74563c4a6b57e37c190129b19fb1ce93a1ce94b43c78233b02104ad4a180000000000e80000000020000200000002cfd406731da94cc2ceb8c1f091524e2c04ce9144307b07054631d4cf8ef7f179000000079ba152711ae1106de4dd8fba9cdcb6ac64c77b2db0f547195dc11ac9406fd1c1e65dd31f1710e0460716a1186782278c7068a1729355818b38485cd8ea3ada2dee8381c5696cda8e2d5ac6488c6cbbd2a65dbe63b2d2265855066888d5a0c59514083f2d9a36b8f5df71ced7759570f83964b692918123aa2cb04df2598eb86f40372d35ca5c0da21150c41bcab2eca400000003a424364574fbbc360c33f98b827eb9c3d6e2ec1066c366cf937ffb8c691f5b98cdc209852a464eeaee4c5c6325ef1c3c0270fa830a06e613baefc5dd93aa870 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437691501" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04d0d800a36db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabFC99.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFD49.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ed50bdfa286371f04f1a1be1adb5d8e
SHA1 fe2f69336b4133eab741e5b7d1d31a64dbc8e570
SHA256 900037b087741b66641d0de686006d870cb0c24f6d88b52e08d3fec4bc63accf
SHA512 c3784a1fea9f72710c343ea4b15bb32b63965d5572055d79b495085758b4772a7a99e4acb31a2aa3d4f0f2fe1dd8d05ad904d9d30f046145d38b9ec0fba93f82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fdd262ffe88272e9205f1725f92015c
SHA1 44629935404f9df10f6bc8179507e9e76c698368
SHA256 c6b60f9f51c30dedc8b408f840c8b8903b88cd47a36b123e80988b0510ebe6c4
SHA512 3fd60e28f18b2919b198caec01e1f2feee46cab3d3125e813b21b513012f771ae3a0ec72a7618f3cbb0a4658eae6f69ee1ca8279560c276af0d4cb42cd4a9f38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5358f9d009f27c6692a8d6bb7ebb3d1e
SHA1 ec5676c2b4b579abbe38adb381e6b8625b0bf4e5
SHA256 51640cb3a7420c0fc3767e337a67e74b3c5f6602b16a7daaa384c2e165145387
SHA512 8edb592d9f4b06005564cc68a1f61f8f4dd12b4bb1f2d1480db82097ee4f5d03c93e5e4731981a253cad0af2a10b4c164fae1ee2ccf5738d421a9b463e096fc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 123666cedf41ee880eac576072f322f5
SHA1 bd7714f3ffef1813b935582ab667c40ccf69608a
SHA256 191b1c8f0478db9598053185bee398cfdae72b72b4239bbfba405627d057e1c3
SHA512 02f35873499f01b0807d7a365a9fc5d54a1856f903b84e6e3414db6b66573202b462f2747e7b1f32a2ced413cdb5be317bef5eaf40fd4c973b86555edf2254ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db785b88808aff96f0322e47e22034d0
SHA1 945abc5147b62b554e4746e7f6d98220cefa0c93
SHA256 0e234b683e9fb1213cca62c5b15a4ac864bc62400133b140e7709aa47202274a
SHA512 d86f5c63c82cf0ebd3ae963dd144f2b761e0e26654f84c2fd747b6910d1783f14c03d1300e261643cbd588e8a6ffbcb8bd9eca63aa8e32afa8251a0233d148e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 100d330d987f9754f5111672ca6eb599
SHA1 f7c962d5a42f38ae9be4e7cec4a71600fa21fc69
SHA256 7e47411a2261d0d421d0b73176049e27d28e75dc8527996b58391900f62d3370
SHA512 357742305b892d7bd4e8dc2f313c36ce7c4282c6d3ef93b1cddb50968cf0e427f6a7d4563f4f67ead42dbc7352f9c959cc7ebd2c22892b40781b24aa616e1002

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 894ef9d7c40cf5765990a523ce2c9adb
SHA1 5de3f23357489cc73daf80bf3f3a5b7b1d018d1d
SHA256 afc9297a702afc568f36ee849c23e7bd5546f9554d25e48a2e4c5a7e3dae143a
SHA512 0334afbc5e5f22785ba724b87eddce4e703eec9d44b3a4b9d13e5f44b1e33d04e7788c2ccb9791ec0040f3c4bf32d15754dfc3c9771048946d04ffefbb86c4c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 877f3066eae0ba68479e525d114021e7
SHA1 ff1560252f27d790a13ca1ecbe3346059833db4f
SHA256 6741703e3eb2e803b99a7390d045c9f7c1db1d78b6ddac4845978ec98399e0fb
SHA512 8036df32a386c38812af48a23155e2593b15ad2bf3ae085995550ae8e4139b8f0466ac02284ea88eb9ae1f0c44c8d17b33972dfda4910834b515a0fcf529a8ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63bdc2b1cef9def5f22bd0d57bea1dc9
SHA1 5560a8381f53e33d346e1f3e4015c09d5de10bed
SHA256 2dd47183e9255448c01adb189f5bafb382d88f316e5922f91107d8381a973b33
SHA512 83650b157c3ade32cec26ccf9a5a8f39b23206cbefb11f78b4069bf4d6ad5d559b6525da5dc902efa9ba4acf7fce29f81e561b3456947c166300c7ea01bdddf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a27f90f0a3575b31a4339d8d0e1fcd1b
SHA1 e80a8d79f0adee3eaea3a8b5b551702c7574cb81
SHA256 0c94ac8aeab8e2634055c4f4f8901285590533557a75b55f1364593a100ca389
SHA512 336b0ad5e2fb6b02f61bb41711dc2324d14c7c9a25cb3982bf194f47c73bab801eadf5e0041b63558d039e6870e944e25e3b4e0babf98e827f84bfeacf28d2dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 913888fa41e4d8d933a0492e811ffdbc
SHA1 9484483086491e54715f7debe8cfcf62fcd1c055
SHA256 af46771d32e785c9d6f2e5348576b942788f2a8b9431f20e27a3ab5d58c7ed26
SHA512 9f86ceb5aacc9fe625b400bf096ed760b594a3a5d4e3afd86a14a37f8f498954aeb6e2f22e246d171efbec02515fc567ce07a160caf1f343a3643e78af5f4db2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d6c1dac67659fda939a1689067827ce
SHA1 a02a064de89a9a1f1082f29b35dc8ff3b82af4c4
SHA256 aa6ca5f7355d9bcac3914a9d491895f305e9beafe62c219b3f6f5d0418b5a0d2
SHA512 52199a6b8fcf11f0d5e9c31ccd857883ccbc48889eb148b302327d8a6b62df3ffeed8c31ac1918bc3a66c2d0d7cd5561d05d165627cd75d2e8ca2b4bff2af03a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70261060ebeb3cd1ac3e40770930cc39
SHA1 723cba94e86200751a869d386462f482dd553eed
SHA256 d1c0e3e35b0da41274f527ecfcb920a08f261ffd9300c03e116e7a360f923aba
SHA512 f82c0f6a2b9c8aba571d2590a7d2f3bac7ae64b97231ca3f43b63a3e1ce5d09424f3e3fde6a0bd76aab57c758ebe5156176dc0aa0da10895228aa32381aa7f77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47831cca5e77f365f3e17d42d5b6e786
SHA1 fa521a913975d5a9f061260b2be2aa9b5d98297f
SHA256 582ab27e2f22e985a9529c5758ec8bc550bd2a78dfa6fe64340c4e0be415d072
SHA512 f45ff9b3ae6acbde5da79758214cd31392e629bf3b31e28300074716ee5782bfd87c7ee5d9a2b6eba17f20645a5cf6727c4e025f777831b6c2501f5c91869ece

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 528d53bf74d30df90d8ad3050e67d515
SHA1 0b13808a3ecc4242a9e36898500d829c2875e00c
SHA256 e0bdf3d0b4191be698123a5eeab264144c3e4a2abf0623fd607328d59314f9ce
SHA512 7a0ecf49d7f074e78b712e4939a0db0aa6afe0f9f4898249e4ce84aec61ea92095a849eb42fd08f3f1e3e4c95c4507ef14e17b121a9a6956b394fb5b97654488

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31ae83ed1f57e1e4a4cd70b874804f45
SHA1 e37523bfe3a62c54d25857bd0e892d5123473e31
SHA256 a35bc34d2ea1379f086816c961eff09de97b5aa185d7515ff77a690e8a82bd71
SHA512 a0fde1cceb530775f400317296d093696eeec4ed4e4be786ce86f3dd51c04943e75db310dfe158e5881bcd23b81f15d6fbb56d2c66e2e919c7cec34ba4454a42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7737bd8af271872da4cf07f2d5da8e13
SHA1 7081272c3d08779cad31b9ef9146080916a1f241
SHA256 a27535e8414f72f78775a3e1bad5f1b97a34d8d93039963d356ab873ab5c432c
SHA512 6ee0f3685eecde24b748778e17fbffe2bec0a096146a51fdd37caf94299603c8d9d9147203669fbdaf3b960ab658313d96f48165f25cf7574f9ffcfdfd857878

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e397a1b28bd19a081e46e0b994dd3ea
SHA1 d3d1610683ff938e0673d744031a4a5208ee0faa
SHA256 e3685952fa325cd034ae35b8b5922d8e841ad50c3ec634f365aae449e1077b7e
SHA512 495c246f4c14a0c29d87e57dc73385d014c3d45d48ddc8972c3824f2ba5d71e74a1e80ff6e586606d3f25a4c942bff5ef7853acbbf647c5363b4b2788f799a39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ac4692f82a8a9f3413679265654dbb5
SHA1 66337159f0f486639559a447e594932e73f64ddc
SHA256 a711a1209c014b6a023ff3643bd88cc9a6ca418c97a99f65ef62e41342054c6e
SHA512 3668333d46e96ce0237d2588c3560cde54bc90683b740c45e7796dba15afcfd323afee10407232a227cdaef17073a88e9af110dcf889b95642c8883343bba2dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5675d190cbe01e017a57a959e100f5d
SHA1 d9afaa8601c0f54515378eb1dbca503908ceae2a
SHA256 b1c209148e34bed71e2f902fa5dd43c152abd554e134a5024a2cdaa8e0e5fba4
SHA512 02f8565041562c53d45650e2c85697ddbbb658ecfb9bc591b9c83f3e277572bd46dbc18f16988c41776c1c82e4f04049decd1a82f16a7a25e529885bb73f3f4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18dd38308c66d53f7323c53b9c79c98c
SHA1 4e550671047eebef9321506861d9e0f7bac364ed
SHA256 8b1493cf32693bcc7c71adb6f3616984c25055f5c0c829af88c5bd82692a481a
SHA512 66b9e5687f1e50b94ebf652c81ae1013557102546bbc4cd81736b854dcd87df54a04398bb3cfe01a2dcccb59f08e1a491b1422bd9bf67f7135441626f6dd5520

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\tea\win\makefile.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\tea\win\makefile.vbs"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:27

Platform

win7-20240903-en

Max time kernel

21s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe

"C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe"

C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe

C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nseF143.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nseF143.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\chrome_100_percent.pak

MD5 3c72d78266a90ed10dc0b0da7fdc6790
SHA1 6690eb15b179c8790e13956527ebbf3d274eef9b
SHA256 14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7
SHA512 b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\chrome_200_percent.pak

MD5 3969308aae1dc1c2105bbd25901bcd01
SHA1 a32f3c8341944da75e3eed5ef30602a98ec75b48
SHA256 20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6
SHA512 f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\ffmpeg.dll

MD5 60bc255d5ddd8fc9c8be4c82108a2c8b
SHA1 ad1a0606f27d95608e02d6ad0c40b342008d8f24
SHA256 cd0ccc24489532a6c6e977ea4d25250d9850a395b51c46f90b47ed21ef8044ba
SHA512 fc50c39cdcf60a622cd4b63490c9ef2b4e3897acc05b25e900bff5d351431628e8141048995deb28de270b002d67a3976a4b528a5b50b5d1cac6683f48f1fb38

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\icudtl.dat

MD5 ffd67c1e24cb35dc109a24024b1ba7ec
SHA1 99f545bc396878c7a53e98a79017d9531af7c1f5
SHA256 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512 e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\libEGL.dll

MD5 998ccce35f45d91eda0fbf2272923b03
SHA1 9c99a7a8e4dec171cc0499e229730a241c164fbf
SHA256 ad75ac7d0fe26ee9665c075e705d290233732feb897173597a18887b3d1cad7b
SHA512 b5cf010ccfe4083d83e5c3c8df144bbf30eef991ac2f91f081562cf7e2b4182447cc4f86508fbd1ec229a6a34ab1907c861276776d8f657f557cea2ff7b3003e

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\libGLESv2.dll

MD5 06d7890e8f5423bf90a02137af53d95b
SHA1 980f746f895bef998bb78d7adaccddfab6a9aa5b
SHA256 586a04652de1a392e8f0c4cc69ece9b7370be4953b9fa4019d09207578324e42
SHA512 bad64ac5761e2db7a9453b731c10ba13409aa8793c7e82d56c48c6231f923debb960f89d92eb69ca2914283b85d4102e8e1ec38cb7bf3d1009fc390b45ccd605

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\LICENSES.chromium.html

MD5 f90bec233251fd8b0cec0a2aa45be071
SHA1 9af25a284eb14f1a8d5e67fd91d7f963d7a9c3d6
SHA256 1479be3660c7ebfa60813d7ce9c5f017d25946ef762b3f1cc571180b25151e48
SHA512 23dec29517ff7ab9999462211844d369f5f7e582037914d1be98af3bf43c41417a27c32314507d19d37d87d9acc4c8da085948794cfe32689dba7a2e0a393b04

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources.pak

MD5 8e873d75db7796e02430109a6945b9ba
SHA1 75c1513cc317619e04aa99e0a8dd66164892a77e
SHA256 da22c6359eb8d7205d8401bb6a5cd2b2bf2ed9487953038232baa6ad8a5e9319
SHA512 38a0696a4a6ff0c484ded95f552d89d6bf6324f1759f5c76f32f86cebd1637c25dc87d89c9b3627dd95627ac13c21872d07e045bfa4d576c72b0b8d47798166d

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\v8_context_snapshot.bin

MD5 eaf279610dee0e18089fd16e4467b440
SHA1 caae7ebe351e27d81a6861710d1faba418ba785c
SHA256 096fc3f5002f5032d5c350200d4948851647262fa44f0a7c3770477f9ce620ce
SHA512 355a1d0a82a81d46858a9df7c334b91db869d5c0539451351d188aecd785a4c3d5ac29fa347d6f87c2d0e770f039475fe2fd718b4ce6fb9ea5cf05f1cfcc7973

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\snapshot_blob.bin

MD5 e039d61d0714fdabb0281425cc4ffbbd
SHA1 fd130b3c9f864f5491e913c3b07a2e0b1b0ca5c1
SHA256 803991729117f88eb4d4e64f77c49a1ed40ad1dbf7cce263c9a295bc0a23a975
SHA512 b7c4a2513a52acfb5e9f3671d86625346fb141ce204cc8f794f0521f3e738d05b5704454a77609c1f0a065820cf05bf52718da40674499ae2eb77ea9e2cb663e

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\vk_swiftshader.dll

MD5 a4badb3b16df7c363d00e8b54658a6d2
SHA1 b1ed12455ba568baf79cdf7c6df3f89ea668c8d3
SHA256 809f1914bee43aeb4bc45259893cbd50bdb4c2c54f4381e9ead2cffc048268f6
SHA512 b86f786b1103f7b3d806646a9377664f1e162e4593cdba83ef3b96d37485957ad846ec65477f88c1cf641bcbeb1f47cd133ddc4512f12b0c739918dce4888b84

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\vulkan-1.dll

MD5 ae0ba3c0e27b4c141bb7d8d826ab1417
SHA1 903f8a739b03ef53455edfd30b9b6c83732ae645
SHA256 81f7ed468a8cb5d8847c111ffed008fea78a517c49e6753aae3ae3ab6f4d8127
SHA512 4e4a33463064be6d930950e318535f9f1334f9114ed06dde200851e4dfe9d202f4438e9eed26088edd9c46e741fee64df43311fbf914ae3454166b9ef6ee59f5

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\am.pak

MD5 4ccaf97afc2714724a32e9cd0f528a42
SHA1 7a74b02296cc237885d96179f4f81b65d8538299
SHA256 f5ff8bcffd6222d96bb2c180bea945d9e7f90fe3b4d2123eb3fb6a298f8fc61e
SHA512 f3990073b9f6a3662265bb5f39b942b06913fb3a6a99e3416d1099cc9de4089c9a98209c5e2f633d7eef984c7be155cd9624afc2fa2b0f3a4b735490ce743b84

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ar.pak

MD5 36039eee6a5822855b838336a05ff45f
SHA1 5aa6582e72184eeeb5bcf51a4c763871f7d490e9
SHA256 9537067ec45eaad411cda478088cdce4bade6fbed5d236c09e1d674db7f8c651
SHA512 a81046c1085a5c054f9388783fbd49d1b149e20aa5524f43b6de98222329eb5d6dc9e9b22f59df59692d5cfc171c7dd2694cb68d77eec38687bb94f295b2bb82

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\af.pak

MD5 14fd36a0675c7f31b38ae67385ecc35e
SHA1 d6c1c568ba36c5ca612caef828ede54d8525ed0b
SHA256 e2f838c58a05496ea2d9ea60ce3c4069784c22a234af27a09530f00612863e9a
SHA512 c96ac6303b0640279e4c9dcda1cd685bdbd01c941c4779eeb0d4a2a91d72cfcc9e5e148316b70e06a9b41c1a11108b75e6740849c0972a92c521d78c935e2bd4

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\bg.pak

MD5 b23e1d286b4332102dded607e667c71e
SHA1 e343facd16bd504714fe102949a3cc06c92d982b
SHA256 bd277988128fec0642d5fb2d922fb6d8dca33eabe2546cdbeef7006ec8b0757a
SHA512 9037089867a0d99f60a458f61ef4e45d00482f9f0558f908fac6e3c8fdf80fa5029de433cf89dd7f55671fdc6e4c8e8742cf9c53d2f4e40b5ea48347a8f8c3df

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\bn.pak

MD5 4be5823c75fcc1c1156a0c8813ccece8
SHA1 123f94f742f5cc20e9da173a611a5f0052253469
SHA256 21b1ab4beab7b420234b18c41fa48d6ce4bf26d5da89e8b235d6e56f74fc2e2d
SHA512 fb3263004a4dac70c1d03be6a9ab984d7d04889b5614a1ccf655f3a76961698dab6dff1c059bb6832487530472be29771e01ae8cc665a19aae4b0f6913b56683

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ca.pak

MD5 ff3ae427de1581ca390b0b1f36f39f7d
SHA1 9f03512629c5042ef5a52e1a20f08ce5efa351aa
SHA256 3d98926176ea7e250ba58e304a3498d859cf66b9a123498f177300a109f2cf07
SHA512 c6b458415ad16cbe3c3463deb32ca0a1039447e4e170a37581d0945f2cef07068dd37bcc45df49a5507d26fbe2dc26988f7ec50eb7a26f3c0691602440238ff2

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\cs.pak

MD5 c6c7a0107a65fdf86b93aea05f770a47
SHA1 4918ad156e75fac0bdc533442a55acfadb0de6fc
SHA256 3daa3cf19d7b4473394dc35a82781a009eef683ab0f7b1e3db8b84d6dbc4c57e
SHA512 122151d9d773115ee6ee09e7e4add15ae0d98fc7e6af878b3314e5fc1a4945157d3fa83e189817f88ad81d2738f5f2edd42b97198aed6c98e5ec61938c06d352

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\de.pak

MD5 5fce111d16298b7352dce5e116f18d27
SHA1 f5097d5d3939870e3399d04a415e339c0d94a2e2
SHA256 2505f0b9993eb9acb000678fc4616ef1bf19348ab98ff354683ddd51d5ca43bb
SHA512 24ad6cf180b4ec132bb57500523462ae9480cee710fe33e71835336ec5f1d06deac27e9d03cebfd09cbf2e46cee0fe93063921bef79087ff51cf99e07afbbda9

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\es-419.pak

MD5 b69c517bcc9dcacd327b8601a1ad85fb
SHA1 0065beafe7e12673010fe1009729baf507565e05
SHA256 f86e76bda0de5749f30eb7c4eda26d4f4daf7ea307ac4785cad33836e45535e9
SHA512 f4b2fb7f1d728351a7e98fb888dbdd560d84e6471d50ee700f443f549d958fa059be961d0a7e66de56057699b5c674dfc03996da55b09c48635d26f437f9e338

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\fil.pak

MD5 fcba5a4988b87771b4c784fe13209b44
SHA1 2781cd227fd305f6a448156c99d742c622a945de
SHA256 75bd5b252c6629f9eb30c00006c9270e341d12cb94679d334cbff7d35a28d37a
SHA512 bf483c68a6cc236fe5f45ab7982df951f13be571838fef13a5da3a201c98e26dbbaaa3ccb18950d6bc823797590f2fd3caba65b63b6cc9fe11c3123532323286

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\hu.pak

MD5 2f761b20258c04cc9e3335451160b33a
SHA1 2144a0cf0e994f3b7b030fc8c51584b4c1af11d0
SHA256 af4b5654ccf418e5bd34e2850c63e4e73c85eb06da1cbe75207743ecb70135b8
SHA512 b605c0dc34cb070afce84b4d189be63f976f60626f73f0258b52d169dbea59e338a54bb75f801f6c95203dcc179fdb284d3a836cf1420a6f77efa165e1bbb4cb

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\lv.pak

MD5 a49f706e800b0679551442f2e98dad4f
SHA1 e3b505f693c111113fb47c436a8637e8f552fe95
SHA256 ebade538cf0ca8de4878f5ff703a18050d7494dd97e2cba8b0a0f27fe397d468
SHA512 a1f02ef0682727324b7a4f2eecc4bec3b6e363589c39d3ad63c92d9ef36a6f81c7ebf2ff68922f1966e8635a19aa38d109880526502f9a6c1a240c4272409556

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ru.pak

MD5 0a7e71f5efb94f8527c2a6750d2d2490
SHA1 c449c1b7f56fd5a1f7b536672309b2dd98da080e
SHA256 8558b5ae8a8052b5514ce4dfce04ace907ec54037a0236ee42890f8864a5f92c
SHA512 fc6be5ddd2407a5e59fc47020728b5f3bf85e9ebf7e80e3582f2701752e9dae523cb8a58c1785c52df9b0b169ab8646a9db1eb7cecabb588058bb70cbe113a0e

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\te.pak

MD5 3dedb30de69864333e68f5ee77ef19c1
SHA1 859642c33bcb6c8df0fe7d9ae7d947f4c278cbcc
SHA256 439375bcd7b6533e08c8a73db25dc35e434b0d9fd9e4ace323d6847af7142b2b
SHA512 c15fd0e4bab18f62cae773b85b5d85d66369712d5c5c51f8ef38858de1164bd6f7e11b916eaa5262d7d08eefebf98efd4b3536a9fb1198ca26f38e1881414831

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\zh-TW.pak

MD5 40004fc419866d484f8e05767c57bb7b
SHA1 8fffde55f401c477c77e1c26ce024ac9d22589a7
SHA256 0724dd6f642f15f198780405ffbe08303da6263ea13e73a6cf5ab2ca59e8ec72
SHA512 627009933056b71b921f18ee0af567a24d29b1af23b1333b700c15a05ed78e0c0c09b89579108876108a214458951a8d57376c98632a34b2ee59af6adae0deae

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h

MD5 f2a075d3101c2bf109d94f8c65b4ecb5
SHA1 d48294aec0b7aeb03cf5d56a9912e704b9e90bf6
SHA256 e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
SHA512 d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h

MD5 0b81c9be1dc0ff314182399cdc301aea
SHA1 7433b86711d132a4df826bae80e58801a3eb74c9
SHA256 605633ba0fb1922c16aa5fbfffed52a097f29bf31cee7190d810c24c02de515b
SHA512 9cf986538d048a48b9f020fc51f994f25168540db35bdb0314744fdec80a45ba99064bc35fe76b35918753c2886d4466fdd7e36b25838c6039f712e5ac7d81b3

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h

MD5 b60768ed9dd86a1116e3bcc95ff9387d
SHA1 c057a7eebba8ce61e27267930a8526ab54920aa3
SHA256 c25be1861bd8e8457300b218f5fa0bba734f9d1f92b47d3b6ab8ee7c1862ccbe
SHA512 84e0670128f1d8712e703b6e4b684b904a8081886c9739c63b71962e5d465ac569b16cb0db74cb41dc015a64dcc1e3a9a20b0cf7f54d4320713cc0f49e0f7363

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h

MD5 55a9165c6720727b6ec6cb815b026deb
SHA1 e737e117bdefa5838834f342d2c51e8009011008
SHA256 9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
SHA512 79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h

MD5 de31ab62b7068aea6cffb22b54a435bb
SHA1 7fd98864c970caa9c60cfc4ce1e77d736b5b5231
SHA256 8521f458b206ed8f9bf79e2bd869da0a35054b4be44d6ea8c371db207eccb283
SHA512 598491103564b024012da39ac31f54cf39f10da789cd5b17af44e93042d9526b9ffd4867112c5f9755cb4ada398bf5429f01dda6c1bbc5137bea545c3c88453b

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h

MD5 29dd2fca11a4e0776c49140ecac95ce9
SHA1 837cfbc391c7faad304e745fc48ae9693afaf433
SHA256 556ba9af78010f41bc6b5b806743dc728bc181934bf8a7c6e5d606f9b8c7a2e9
SHA512 5785667b9c49d4f4320022c98e0567a412b48a790c99569261c12b8738bde0b4949d3998e2b375540ede2ff1d861cad859780ade796b71d4d1d692e1ed449021

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h

MD5 e8c5e5c02d87e6af4455ff2c59c3588b
SHA1 a0de928c621bb9a71ba9cf002e0f0726e4db7c0e
SHA256 cce55c56b41cb493ebd43b232ff8ffc9f5a180f5bab2d10372eca6780eb105f6
SHA512 ed96889e0d1d5263fb8fed7a4966905b9812c007fbb04b733cadbe84edc7179015b9967ff5f48816ff2c97acf4a5b4792a35cee1f8fce23e5fdc797f8ee0c762

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js

MD5 e5c2de3c74bc66d4906bb34591859a5f
SHA1 37ec527d9798d43898108080506126b4146334e7
SHA256 d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
SHA512 e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js

MD5 275019a4199a84cfd18abd0f1ae497aa
SHA1 8601683f9b6206e525e4a087a7cca40d07828fd8
SHA256 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
SHA512 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js

MD5 8582b2dcaed9c5a6f3b7cfe150545254
SHA1 14667874e0bfbe4ffc951f3e4bec7c5cf44e5a81
SHA256 762c7a74d7f92860a3873487b68e89f654a21d2aaeae9524eab5de9c65e66a9c
SHA512 22ec4df7697322b23ae2e73c692ed5c925d50fde2b7e72bfc2d5dd873e2da51834b920dea7c67cca5733e8a3f5e603805762e8be238c651aa40290452843411d

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp

MD5 0e4d1d898d697ec33a9ad8a27f0483bf
SHA1 1505f707a17f35723cd268744c189d8df47bb3a3
SHA256 8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
SHA512 c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3440200.tar.gz

MD5 c02f40fd4f809ced95096250adc5764a
SHA1 8398dd159f3a1fd8f1c5edf02c687512eaab69e4
SHA256 1c6719a148bc41cf0f2bbbe3926d7ce3f5ca09d878f1246fcc20767b175bb407
SHA512 59ad55df15eb84430f5286db2e5ceddd6ca1fc207a6343546a365c0c1baf20258e96c53d2ad48b50385608d03de09a692ae834cb78a39d1a48cb36a05722e402

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

MD5 f0a82a6a6043bf87899114337c67df6c
SHA1 a906c146eb0a359742ff85c1d96a095bd0dd95fd
SHA256 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
SHA512 d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi

MD5 0ad55ae01864df3767d7b61678bd326e
SHA1 ffedcc19095fd54f8619f00f55074f275ceddfd6
SHA256 4d65f2899fb54955218f28ec358a2cad2c2074a7b43f862933c6a35e69ae0632
SHA512 aaee895d110d67e87ed1e8ed6557b060a0575f466a947a4f59cc9d111381e1af6aa54d432233716c78f146168d548a726fed1eab2b3f09bb71e0ae7f4fdc69e3

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json

MD5 174bf28fccd7fdb6f0766f31fac3060d
SHA1 655f465658957fbdf935fcb7df0b97c93807147b
SHA256 91008a93e604674024bd65569670af5b01f1e4caf86cde50835ee58f59a5dc61
SHA512 fa1be386a3d74767731aa5ad44ff4d89fb456e7feabde2a6e6f238ed4608a80962cadd6b7ff96f15e306a8e819221b66051fa5a7b0658ad52a2efb488492ff83

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE

MD5 79558839a9db3e807e4ae6f8cd100c1c
SHA1 ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2
SHA256 7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c
SHA512 b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\main.cpp

MD5 88934cc736b505ada3d07afe22083568
SHA1 6d1d112f4e7fc943dc5c9ce5ad2f32154aeb2f3a
SHA256 1ada21451bab629832372d519e366bfb08c80facfefe5a40c76a4f10a697c905
SHA512 9f45386cba32d13a50360916b0c2f240e43cba5983a86ad80f85c75cd8e6ac2c6b931992842a736e84e234b91fc46a7a66824a3a2748f474cf1bbd22ec138a99

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_win.cpp

MD5 4a55597a2c7466278439452bb708b822
SHA1 eaadcda8f410f2dd1fd9522fd7a2221624dd1713
SHA256 da37b02fb0babb651244479ea019d229fff1c41ecde74bc06335b5e603d9b30e
SHA512 b20efe8026de41dd8c13c6f844455cacc13fa80bc3dd41fef422fb178054a7c8d6f14af8b1d6928e52648ab95a793aee1f996dc2aceead3aa8d317a99aad23bb

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_not_supported.cpp

MD5 c510e65ebcb2fa7c00712e770ec8c692
SHA1 ca1ea3c8340dcf69f344d5eaa884631eef37472b
SHA256 7c03cec11c438b6d2512239477d9f1b45d6e16763122a3a36458ab339f50d3c4
SHA512 b0b312426b4409c80b45a0f3337069be9870e050dc8b55184fb2bc63532c247089c8d35cbd1f12f0bd2bd38d581566faa74a6469b548a1ad7d837285ad37c178

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_addon.h

MD5 ea1e5899ec0210d7de4ce325d1d94022
SHA1 464da48d40547cb08a67a1ed38cb0ae8369f2f42
SHA256 18280b1135123aff82fbf4188a5aadfc9a5d6fffad9309f72f347f380f2da550
SHA512 6dae672ea822a7dc5e42914def21c019c0fa8aeaf1c27c155b78312d8a33a63ae9a1910dd32b72760578671780b8c37b91ff5e1f6588f08c7fbaaff80d8fb6fd

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\dist\index.js

MD5 0b33e83d33b01a51625a0fdcbef42ce3
SHA1 1c29d999ff7da39426b97f2eb31a3d83db8f5fc7
SHA256 a7ff0225cb5ebcbef8499c6c8ac2be924f584eb375dacb1d8bd3dc6540b510f2
SHA512 1d04caf4fc2e876bdf2a089ae938a41fe4d3f2928aa846709bafd2de236fa8c754fcc84d7e8a5f5734bc1cecc04b395ab9d2114945b35e8c85cd3b9ee8f9799c

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\package.json

MD5 83a6b767cd4ade2116654eb0a90fec3c
SHA1 07a0f29ddb1c8a48947ee05bb4d6ec3d2abe1df9
SHA256 59f4704391d2247b2a8d029d7338566d47d2ff0cd7477c49343efe93475f7a12
SHA512 404ed15686b7d611ba8aeac12e706af75a876502c51e40e48a598d05a9ac89f88902b2830a5c679f9bb7931f5c33bb10da3a32753fdb8c71a9d7b4346a1be8d0

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\LICENSE

MD5 7bd114b023fa6209fb7b02150a202ccc
SHA1 4451515f9d7b16ce8983abb4e85609fe4162c4d4
SHA256 455dda47a3fc2f58ab06d8e526f490ec43d0fc23a5ea80dd0942644397316d9b
SHA512 87ee4dc1da13937055eade250f1f8a357f549c709b9659258c137009060080aca5cfd979890a7b2d662083f4c646cce9af6e20774b58541af9e712fb5f4f1c60

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\resources\app.asar

MD5 0aaa8024392a0b4f7ab3a280cd1a131e
SHA1 47678349f3e727302a93ff83df6f064817744278
SHA256 8cd9974eadac6fb9c5e3d46af246af858c9a1ffe950efb5635a5b2b5c4a6c179
SHA512 9a8d5e3a2ee00b1101af6c298c6479bd74b0de82672d223683e574f2a303a6f1a01dae319840b79a14a0bc05e5381a81e8b4d2ed3401467388a7d623dc570a12

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\zh-CN.pak

MD5 d5ccef2d737df79adbbbfe4843a4a1ef
SHA1 26c4c4b4eedf1c620737c996b76ecf5d154ab7c0
SHA256 1ca7a26aff7c36a98a9d96550a5f77d15f4bbc546b8d16f7160c1531ac028595
SHA512 0feee9eba045aa1ea390b7e1ba8d2c3966db295e758ebfb7e912d3e224edb12c5a749247f7d5f6498a69ffde30d140db1b587ae42e58fd47ce153b186e238d2d

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\vi.pak

MD5 5238502d80387898467b5a6564d2e197
SHA1 574afdaca5f77f0470c218d0d945f76b38c0c192
SHA256 760436664a06f4c716991f45e17e00645738e8d1c46cd04a116dea8d1dedb5aa
SHA512 fea65ff62f13cd42c425c5055813277b9a0565c515c5ca8db4a4c8505b57f56a8df52d8e201355fa33d65b7d243cf2e6b1796e81c2daeee027dfafa7b86b6c55

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ur.pak

MD5 12cadb58e2cf3d01fb9bf1e9632a7b85
SHA1 c26507bf4bfd247ad51622314357a2f3ccf0f60c
SHA256 4ecf19c5a4eadd8909ff709803204cac4607590572b3ae6e3cf23c20e5b7476c
SHA512 6266f68ccc1b73b3a3944a43615ba23be266cd65f12a080d2331f609a182d8eee2b0553719071ff7f111dc38b92a544bac08f24efc26068032c7ff89da46d50d

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\uk.pak

MD5 8f20598d3c126890390195bb643ece95
SHA1 f2735743e167f40c4a116c8f6a2ddb4e2cb6e44c
SHA256 13a00f4232ce3c58ec32b87e3b81207038ae0d1812a4f579151a6e2d8dd1793f
SHA512 42c70a4170c80c512a264f9193c33e1a8270aeea637f2ded5faf5d7d19efca24bdf97e64a50a21dc92d19311704bd6e058b0d1f212870a52f26058217ecc7efa

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\tr.pak

MD5 ef23040bf284ad019f7e85bf1a4b66d5
SHA1 7d119fda04b876aff2b3c3dbb8da6410ff1b0122
SHA256 25387c543be8057f77d05fb6e19991f954b1d8ff47b369ed15cb23541ac8df6c
SHA512 b5e7e4787f26b9e2ec0672709f2bc06d01075e4b5d298352ff79edba39e3bce2eae60c65a597b051ecb2f964b89061a8f409bb6a4cdbd3383b00d0aa5b81ebb2

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\th.pak

MD5 821e1c0cd7ac4cc96e047df5f9b741d5
SHA1 cdbe922b53e89c801ed6596392f852f14dbd5be4
SHA256 2da181190b745bb7d5f6cb296d86ff87cc6dcf66404e9d991d74434ab47e4bff
SHA512 cd85f3a28c69d0c6d6a2d61eeafb6b24ae991e0ba55cbc5adde966de172111e77c6b11992d6e17c6cd1d1f2f138813cf74eba41b60ed5b3a7a77df9b789ab08f

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ta.pak

MD5 42ee2510d5a0adaaf7159b1f5ac2f6ac
SHA1 677a50f6371766400fd5d3c24f3cf4e5271c8fda
SHA256 5f591d92c509269b7af0501621499e01a411f1f306c014670b562d1e5341bbe3
SHA512 f2427a67b825263c469d85b99e9ee221c5dd8cd377c7276bf3408a2218dfafd1df1a75ae2f5a7a7e6220003159f55d8709d62301f662df0df2e64514fba15d01

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\sw.pak

MD5 98dd12a836df0e3967b8fcf44b18f8c4
SHA1 4762b7f8e5fd1b92c6984b76d4e965c32389cc05
SHA256 c8f6cd8602059e6fd7a1289b9a268d4ddaa1c2ecdef7a9d05ec4bde9bfd9c444
SHA512 f2046fe9ece161b6e39bf94c347e920ed3eaac7d05846270ed847011e319cc61d0ba01c4e80b603edd9e5ae4e3461029627a9a913a10180a311d373ad07520fc

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\sv.pak

MD5 52be946c5512d40a8c4e1add4d37ee9a
SHA1 d0b8fdfaa572cd72b7ee15f6d3fe4c5cc0acce72
SHA256 b49021f35acd74a67af3d77ac9e4d938d9a54918ac3a9ec4e38e192f2cc9af32
SHA512 6f0a53a83e2819370fb5ed4e77e08fc01942d141e90d88152f5fb6a4e38de2f2dd07864e00d50ed18d1320d9cf827d22829218837822f6c6f34770a01a10a1af

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\sr.pak

MD5 755d73be3227055ef6cc084cdf8e2c2b
SHA1 b1894b1a8e53393d75907dfb2e88806581fc00a8
SHA256 8c31d207616b081e016a5df4e67dabfabe37072f1bcda1cdaa64ea4d935ee694
SHA512 79029204f641d07b9d729715ff1cfb0d396353729fbf40bbcb25a7dff3c843a9a054d7e38849aa1c87ef2014d83e864c1cd30b8265a7928778ead690dd4e0a93

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\sl.pak

MD5 f0cbfe15d823895ef5443367b906d51a
SHA1 06706edfd6fd9d3ed04f571cef89fcc3a81c33d9
SHA256 8493fae950d7caa3556d0f39fa992ec85c2ab6ab58ae5250a6fedee09f5e89f8
SHA512 bebc78688aab7fe6cc9b09469410bb49cac32b7f240b499abc5eb9aaa8cb4cef44fa3c71840102a6a854913b6bc3e9a473769487fb51eaee1a0973daf63c9004

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\sk.pak

MD5 e61d8cdf7f7fe4dada93a04ed91a9b83
SHA1 8553d0345be95d506a21c4e62149858feca51f56
SHA256 9b87ea25180bb8dddab69359d41d594f1a594f87ec75eb201f6bca6ac87b488e
SHA512 cf73149982c81e26d1c3bd73cb1cf6d4b1c8ac59d5e0c1777e92d420bc56e78fcaf737da785578cb95d2e8b61c1d8a828a0eead147b5934eb764b64f6e91adc0

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ro.pak

MD5 c93f9732b24292d5b4e9fb5076127107
SHA1 9ba57f6ad8437405588d86548efb02945a530f03
SHA256 d01a6caf125cecb2bc232a00039c4c8422c88b2d5ec374c89a6cb0117e8ef33f
SHA512 c51015b24b1a73540648b4338da33783e7e4685317a60f64566cb3eb2366a4bd27114f96db1541f553e626f15ffbc95bec78f562e93613de935509e76ddc2aee

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\pt-PT.pak

MD5 86a155a0df0c9b5fec50e57546050bb8
SHA1 e14e1d956da30115ca80c694a5d0c781e085426d
SHA256 4387bddfbfe69542dbdc3c423362116bc34481cfb20b0311bab65186f571e87c
SHA512 2719c673b2dc4d8dba8dea6f589c4a43fd771b2783bcc78a1d387549f72fb1355163885dd68eb286d72737d7676df228647d1ad632e8599093aa845800861cee

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\pt-BR.pak

MD5 8634e12029fc824c1d68d4cffce1e523
SHA1 fb78bb73fb7d1bc9364a6ad509e4e3ef0a965b9c
SHA256 b5ef49a16803eaa39971f54285e8fe4f7ce126ad725edb99f8a521d121dbc517
SHA512 18d3209a7c76fed698b7342d875c3c4dab554771fc1c639006c20554d7074655795889c6bb0bdc5413f2b9ce226b8564c3a569280b11199f91eb209a9eb16f6b

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\pl.pak

MD5 1685f404ad1bff6cf94480786edf8dbb
SHA1 20c6c80a4309b56d2d424adc30c3b91331c8948d
SHA256 de614454a8d36409c4ac9aa03bad2ae0c4d964a12e36362efda2c83a59781e87
SHA512 b60e5c1b079ca3f46bef5e6ac5dbde1fdde54a6c210db6972b7d595a12d5ba6675192f047b8b067b3f1f9ee98ba5c15a1f069571c9692a5fd199ae93086b2647

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\nl.pak

MD5 be1acc31a045ac01087c89bcc3b26328
SHA1 f6cf150336b5202ed6fa2ad7123e5f82ec1c5106
SHA256 f3e044dd9bf6cdd0f406b12ba28b492c06937a7c046a801ddeac24750f172a9e
SHA512 f2a47f18ad953437d5bf61ff245a2bb5814f8d9d19c9265ea90d6e01489f997a68d754546700c6429f337760358594049dddcb1123b650eee6f0b0e95e252695

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\nb.pak

MD5 509da8911c1d7564aac0613fa0e73403
SHA1 b70ed8edaeb574c80c9b59cabe7f5e3f98719e78
SHA256 a1b1cb1af7ffe3af713e423bffed0e15e475733143c4ba06abc87d6ea0731456
SHA512 176fca10ecc65e27439ac8ec35bdd2aa08cc9b674b7bd6c5b1909fec786668a6d8b33d718ca7807de323ff3b8b7107de82c57aa71ac9e7079f2a37610fc0969a

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ms.pak

MD5 3dd48aca5a1b1f54abee583b28b03da7
SHA1 d42b7e2252776a7e960a7aef6b849fe6f6c8cbfb
SHA256 9d1353d27c77b38e18f22e4719f8781dd6c126f86f6a84ff5170d28a202aca7e
SHA512 f190939c13c2d1ab318084dca42d8132b723a4bba775ef547944675f7db37497bfb45c2391b792091ee4416bddff7bef25f3f707ba1346c5f7ebab7fef410c8c

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\mr.pak

MD5 4768c4daf4ce9ffdeb3d11ce64e0f3ec
SHA1 e4eebd9c013f0a7857b6678ddd76e51535f82102
SHA256 d1332150da50884e0caaf78c36117c0d5958e4b3ea067e3dfe7ae157fec01de3
SHA512 e60771b5e55defc66df1c6043f4f3214b71cff1509d928029bb3a13bcd3c3b665ddfd1426db300d08c1d978c5f62881ce37d64252c264c495e1b015ff11fe22b

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ml.pak

MD5 4ada3d6afca7a3536ca56766921a2e11
SHA1 22445c79906d71f75486c767e22562fd28fbae24
SHA256 901c7e8006d1e73a7e8146b383f54df5d90ea622f0ec4cb5660019acb8433d4a
SHA512 4ad124e2e57693592403b73d05993fb46b1bc1dfc50d0ab326ae96cd1c1461cd1cd1b4e8ca4445cede3f7ff12278d07b3a138201e9028dddb31e2b4d8b151748

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\lt.pak

MD5 ea646ce51bd07999529fb719ddf063d5
SHA1 94fee802cc876e5d2b722d1872c7ed927a14c33f
SHA256 af5ea09e52a33451c43dbcee0028ff0a19bce6877c00f2643b8fa1f9d060ef90
SHA512 58d0beb8d91825785dd4c0ad08070a04554cbad39b443cb9cc8b2747a8257a5295febfc4484dd3e7a3ede86859bcebbcb176a112016fd07c64be1d856bd39678

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ko.pak

MD5 fa3c8f5c1f1ee523c3f9d566ddb2be24
SHA1 171133dfe6c2200157b9f21e1bab690632f2ba64
SHA256 a02ddb9e195a9aff301f2e23c7abc41baf526e5f14cd4dbf15c55c5c5c78a09d
SHA512 5482a964ccd9ad951338cd09cd8f2f76acfe8516a73d2bea6390c9fac17d532a2ed47fd50642b6d9d7b1313cb688c3a997068cd71b9b985e423c0054fbcb4daa

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\kn.pak

MD5 58218cff338a420a4ce74a5414559782
SHA1 07c944732d5a2cc9b9b8bb90a78be4892630db22
SHA256 938bdd9eb4c5e278739a103c7bf435db41c3524de718e30f3d66ae60f8ce02b3
SHA512 ecd54a261a39843d51bd9198029d141b233a6b7d652c8afdabb5b44019cf869b1d9505d411e0ef3de7365255579e1ae2cda0677d91071a566c6509e09c32efa8

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\ja.pak

MD5 f84e728b97f1766e1cd24800a409a411
SHA1 c42bd9849b5e5510e56dacf06a8ce126bfd00744
SHA256 4beeabf6962e1e5b042dedbc45d21d3786c331a3ab1f3f3f51f75fe9ed8811ee
SHA512 769cd214f19d735a06dc7eef8db23f6b3302e0daeccfbcd6405c9aa251ca24392fe6cdfad9ab9273c8c38ab763a502f2204b48526e10cf2c3439ab6544698f9c

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\it.pak

MD5 7872fe9c01ce9eca8f0358fe718d5582
SHA1 7ba1adeda4f2dc7467b9af81f22b00ee9c633ba5
SHA256 3f9cf91feacbd3a8e18930aa536ae0c2097e8f3b56da1f356a6243ba27b9df26
SHA512 268264a2b7048d52f90e6b3b6704b848980c99d89937326359759411a529b97e024b9dc93bfedf90b84aa642681bc162f566f4fc5f48e8d007897a218496ed36

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\id.pak

MD5 c83b246a36389f1087d32e801091559c
SHA1 8a7d1d417868611ca3706a0d829c3b8f9774fcfc
SHA256 f2761928e6a189ad28183304a5d56fb1c51f03cca5f315112b7b8722b781546f
SHA512 ba39a82fc9a379f0f83f107876dfee73b4bf2f0e35b7c683002015dc3740c52402d0a5d3eb19cba383c17b07abee807c47a7c27e278c0db6847612097ef9161e

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\hr.pak

MD5 6249233aff4a7a2cab1a01681f3b555d
SHA1 62892f7cc147063bcfd097df52512c4caa39247a
SHA256 a6cc5da8b3b46f2a327de8f39c18a8a9b58031e1a0484321e2cebe397c30f29b
SHA512 23ae48ea57fcf4a43ac558131ddf6c001104e44840ae44f1324ee7af3f434d6279ed2c7e50fbedd04f419b3f15ae973f6d8ecb0c602faa449e64a62249d6203d

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\hi.pak

MD5 fefa6262231aff9dc0d2421990a3b634
SHA1 24eaf51449c77164b3128894949317e1d79112be
SHA256 69277e0864383fd2a975d1dce2df1a3763685ea52acc10401530e31f03c4e7cc
SHA512 7b31d1b6f9a48a0743c0639d3e7a80687973fe76f3e0717d6721571a696feee53e4af327661e4febb8a6702a42b9d1112e7ab259d8d6dea7827b2d61a67f4149

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\he.pak

MD5 a68fa2b08e442b05874dca64b65470da
SHA1 d79593cf29572a491b4f56680ec9f1bcce7f312f
SHA256 ddfc635cf22dd117b28929b196a46554d21656c60a7eb4ce35dde84a80032dc0
SHA512 b80328e2b4043decd45fc95c6ac4192e550ed21398563c7a8135be50ececa01a0f762cccbabd37265f14c25a0f4d63b6cb7ab98996533cd743fbbff4d195df6c

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\gu.pak

MD5 b54152f1794aac7d270f5cfbb7a020d5
SHA1 d14f3feb7206468be4abec39fcd14cb4d3fbf561
SHA256 b23b8f24e6a0a5267f4704f82dbbe5bd4ba34a3878a883bdbd9680f6512a2201
SHA512 8ec8fefdac754b6049b045985b754a4308ded71d79f43925a302076610fa8a69f29fe764ac5acf65618d684fe73097862f4b9b43c8d21f410ce7e94adf78120a

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\fr.pak

MD5 42433f8f6044f028ce65cd90a0080fbb
SHA1 7f3036c2def226d9a9cc040b723b07117e72ab3b
SHA256 784b1588645351fdb98fcba9cffa1afae84961e71fcfbf5b80c0b8cc29cff69f
SHA512 2363435ec520d0e80599149a628aee0011cbeb8cc8ebd44942a52030c92b72e7077b51edf65057af0c4ea0a56d78b6266edfa62873dfdde09be0356f68cb4aa0

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\fi.pak

MD5 5d693a7021eb7c4aef053bd0954b9fdb
SHA1 8500954dc82f8212fcb6e58db128e650479bbbe9
SHA256 c2b0402222e9e877618f908518d9bc62bca45ea4167734ce93f36382cb30f2cd
SHA512 425f5889fe6b1b3a38eface19419642cba5d03657a33a9a85eb457ac2882075f1e73f58d036ef459f3001e8f717b92df08d761d865711c3b2b560727841a9827

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\fa.pak

MD5 d764a7eac41aec2bcd9704f2a3e2122f
SHA1 88477fb426640c27dd95db6fc3cf4d0150a9b097
SHA256 0a174961cacce870d6eec050f1e41dd44155e583db7093f1caa33822d8c471f6
SHA512 50f59426fe77d48b79b5f502ffe46a3b7f591b3a7f42b6282b60997f766edba1f756783c40a9d3104a22ad9f7a8f930b9cf72d635ef88401daf272d69e2f69d6

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\et.pak

MD5 e2e6b9dca370e0492cecabe8cf284975
SHA1 fbbeccce405dcf52bd495677a9cd9eca16532977
SHA256 2fdcee1405049d9b2e77914cea04bfcebb9013063783a89e10a19e227c566135
SHA512 2c88a375d176ec0392f5b73e3f3c1b61ab7361a2ffc7365579698bbf80ad1754a49ff854b5fb268317267b7e367fc8aaa52c012de33812201689426511b925f7

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\es.pak

MD5 17cf466b44a9b3ff9232d298b0d351af
SHA1 3171e6fb16ec3c3a038d824a6ced6ba89c6a7a98
SHA256 bfd563b116a85bfcc1f0dd7373ce09f057d0c7a246f1213639f43b26611c4f03
SHA512 574d2247745415bcad2a8e43f9db06609dc160a84fa7833311d41260d6364d22663ff8ee55e0ed9184eb7abdd3ec8c251faa66185e9d069f542ae57abf8652e2

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\en-US.pak

MD5 0ea050358326e9ba2fd06751a7b2bad2
SHA1 3610b9d4c370af456bf8d1447417ba5194fb6a85
SHA256 55fd1b71a47b6d4a81240240fd24e12c3dd7b986924ecc11afd7d21e7717a49f
SHA512 d10d047be9629608f89afbbc115ece521af4ea1a7529832943b67441bff2fcd698feefe6df6296c306b399c55acf84dfa0734447f5f64063f2e1ecebbbc8edf3

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\en-GB.pak

MD5 f65acb944ce633180762095ec6a48e31
SHA1 ba5cc1fa02a1c6055f5a6bebe1aeb993e3844590
SHA256 87e534f1d0a4b32bd9ae207e167f87499bdf1e05c5a7c173fc3aacfdcb0073d8
SHA512 11655eeedd381c2629c34c72a106da1130dfbe6d50e7c8d32a29feb5c4c677a3606b4615f904e029c1703d6745fa61b959e50e928022f596aeea29bf2d2a65e4

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\el.pak

MD5 5d65998959e4a5ffadd4b59bd95e649d
SHA1 279668a833a995aa1f86ae3c880b05b874d278fd
SHA256 73fd71845722470acf551d6c187731bb14886f88f75d257dbd696552c3a83ad3
SHA512 f530428a41652fa42b3d53116483fc036c69f08d06e77097846f0227447ecb2a91b4e1aced743302b3f688869f611c498bd4ccfa980f5588093321181ae141e3

C:\Users\Admin\AppData\Local\Temp\nseF143.tmp\7z-out\locales\da.pak

MD5 200a10ca45a629d1d0ee59c8700c3626
SHA1 380e3d3ab0a7f210d32e3ed0ae566f9db3802fcf
SHA256 a8fc454536f58e34d3aa379596b3641b68b92989c2c2000f573c834503d47f24
SHA512 d5855ed1d2bf9992c7945cb30a133c3e6547a6f22f714baa17a1292d85c64e383bec301b77c01243b561a015b24803f93b384a1fe66dcd8a25cfc855b10b743a

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\Replace.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\Replace.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20240903-en

Max time kernel

120s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

140s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\configure.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\configure.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\ltmain.sh

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\ltmain.sh

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:27

Platform

win10v2004-20241007-en

Max time kernel

12s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe
PID 4296 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe
PID 2232 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 964 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 964 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2232 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2164 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2164 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2232 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 1448 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1448 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2232 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 4860 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4860 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2232 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe

"C:\Users\Admin\AppData\Local\Temp\XrayInject1.2.exe"

C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe

C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\LNpSUHD317.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "WMIC csproduct get UUID"

C:\Windows\System32\Wbem\WMIC.exe

WMIC csproduct get UUID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell wininit.exe

C:\Windows\system32\wininit.exe

"C:\Windows\system32\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2olYxu8i09iVXw5fJuy7NIyuOY9\chrome_100_percent.pak

MD5 3c72d78266a90ed10dc0b0da7fdc6790
SHA1 6690eb15b179c8790e13956527ebbf3d274eef9b
SHA256 14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7
SHA512 b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\chrome_200_percent.pak

MD5 3969308aae1dc1c2105bbd25901bcd01
SHA1 a32f3c8341944da75e3eed5ef30602a98ec75b48
SHA256 20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6
SHA512 f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\ffmpeg.dll

MD5 60bc255d5ddd8fc9c8be4c82108a2c8b
SHA1 ad1a0606f27d95608e02d6ad0c40b342008d8f24
SHA256 cd0ccc24489532a6c6e977ea4d25250d9850a395b51c46f90b47ed21ef8044ba
SHA512 fc50c39cdcf60a622cd4b63490c9ef2b4e3897acc05b25e900bff5d351431628e8141048995deb28de270b002d67a3976a4b528a5b50b5d1cac6683f48f1fb38

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\icudtl.dat

MD5 ffd67c1e24cb35dc109a24024b1ba7ec
SHA1 99f545bc396878c7a53e98a79017d9531af7c1f5
SHA256 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512 e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\libGLESv2.dll

MD5 06d7890e8f5423bf90a02137af53d95b
SHA1 980f746f895bef998bb78d7adaccddfab6a9aa5b
SHA256 586a04652de1a392e8f0c4cc69ece9b7370be4953b9fa4019d09207578324e42
SHA512 bad64ac5761e2db7a9453b731c10ba13409aa8793c7e82d56c48c6231f923debb960f89d92eb69ca2914283b85d4102e8e1ec38cb7bf3d1009fc390b45ccd605

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\libEGL.dll

MD5 998ccce35f45d91eda0fbf2272923b03
SHA1 9c99a7a8e4dec171cc0499e229730a241c164fbf
SHA256 ad75ac7d0fe26ee9665c075e705d290233732feb897173597a18887b3d1cad7b
SHA512 b5cf010ccfe4083d83e5c3c8df144bbf30eef991ac2f91f081562cf7e2b4182447cc4f86508fbd1ec229a6a34ab1907c861276776d8f657f557cea2ff7b3003e

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\LICENSES.chromium.html

MD5 f90bec233251fd8b0cec0a2aa45be071
SHA1 9af25a284eb14f1a8d5e67fd91d7f963d7a9c3d6
SHA256 1479be3660c7ebfa60813d7ce9c5f017d25946ef762b3f1cc571180b25151e48
SHA512 23dec29517ff7ab9999462211844d369f5f7e582037914d1be98af3bf43c41417a27c32314507d19d37d87d9acc4c8da085948794cfe32689dba7a2e0a393b04

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\snapshot_blob.bin

MD5 e039d61d0714fdabb0281425cc4ffbbd
SHA1 fd130b3c9f864f5491e913c3b07a2e0b1b0ca5c1
SHA256 803991729117f88eb4d4e64f77c49a1ed40ad1dbf7cce263c9a295bc0a23a975
SHA512 b7c4a2513a52acfb5e9f3671d86625346fb141ce204cc8f794f0521f3e738d05b5704454a77609c1f0a065820cf05bf52718da40674499ae2eb77ea9e2cb663e

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources.pak

MD5 8e873d75db7796e02430109a6945b9ba
SHA1 75c1513cc317619e04aa99e0a8dd66164892a77e
SHA256 da22c6359eb8d7205d8401bb6a5cd2b2bf2ed9487953038232baa6ad8a5e9319
SHA512 38a0696a4a6ff0c484ded95f552d89d6bf6324f1759f5c76f32f86cebd1637c25dc87d89c9b3627dd95627ac13c21872d07e045bfa4d576c72b0b8d47798166d

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\vulkan-1.dll

MD5 ae0ba3c0e27b4c141bb7d8d826ab1417
SHA1 903f8a739b03ef53455edfd30b9b6c83732ae645
SHA256 81f7ed468a8cb5d8847c111ffed008fea78a517c49e6753aae3ae3ab6f4d8127
SHA512 4e4a33463064be6d930950e318535f9f1334f9114ed06dde200851e4dfe9d202f4438e9eed26088edd9c46e741fee64df43311fbf914ae3454166b9ef6ee59f5

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\vk_swiftshader.dll

MD5 a4badb3b16df7c363d00e8b54658a6d2
SHA1 b1ed12455ba568baf79cdf7c6df3f89ea668c8d3
SHA256 809f1914bee43aeb4bc45259893cbd50bdb4c2c54f4381e9ead2cffc048268f6
SHA512 b86f786b1103f7b3d806646a9377664f1e162e4593cdba83ef3b96d37485957ad846ec65477f88c1cf641bcbeb1f47cd133ddc4512f12b0c739918dce4888b84

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\v8_context_snapshot.bin

MD5 eaf279610dee0e18089fd16e4467b440
SHA1 caae7ebe351e27d81a6861710d1faba418ba785c
SHA256 096fc3f5002f5032d5c350200d4948851647262fa44f0a7c3770477f9ce620ce
SHA512 355a1d0a82a81d46858a9df7c334b91db869d5c0539451351d188aecd785a4c3d5ac29fa347d6f87c2d0e770f039475fe2fd718b4ce6fb9ea5cf05f1cfcc7973

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\af.pak

MD5 14fd36a0675c7f31b38ae67385ecc35e
SHA1 d6c1c568ba36c5ca612caef828ede54d8525ed0b
SHA256 e2f838c58a05496ea2d9ea60ce3c4069784c22a234af27a09530f00612863e9a
SHA512 c96ac6303b0640279e4c9dcda1cd685bdbd01c941c4779eeb0d4a2a91d72cfcc9e5e148316b70e06a9b41c1a11108b75e6740849c0972a92c521d78c935e2bd4

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\am.pak

MD5 4ccaf97afc2714724a32e9cd0f528a42
SHA1 7a74b02296cc237885d96179f4f81b65d8538299
SHA256 f5ff8bcffd6222d96bb2c180bea945d9e7f90fe3b4d2123eb3fb6a298f8fc61e
SHA512 f3990073b9f6a3662265bb5f39b942b06913fb3a6a99e3416d1099cc9de4089c9a98209c5e2f633d7eef984c7be155cd9624afc2fa2b0f3a4b735490ce743b84

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ar.pak

MD5 36039eee6a5822855b838336a05ff45f
SHA1 5aa6582e72184eeeb5bcf51a4c763871f7d490e9
SHA256 9537067ec45eaad411cda478088cdce4bade6fbed5d236c09e1d674db7f8c651
SHA512 a81046c1085a5c054f9388783fbd49d1b149e20aa5524f43b6de98222329eb5d6dc9e9b22f59df59692d5cfc171c7dd2694cb68d77eec38687bb94f295b2bb82

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\bg.pak

MD5 b23e1d286b4332102dded607e667c71e
SHA1 e343facd16bd504714fe102949a3cc06c92d982b
SHA256 bd277988128fec0642d5fb2d922fb6d8dca33eabe2546cdbeef7006ec8b0757a
SHA512 9037089867a0d99f60a458f61ef4e45d00482f9f0558f908fac6e3c8fdf80fa5029de433cf89dd7f55671fdc6e4c8e8742cf9c53d2f4e40b5ea48347a8f8c3df

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\cs.pak

MD5 c6c7a0107a65fdf86b93aea05f770a47
SHA1 4918ad156e75fac0bdc533442a55acfadb0de6fc
SHA256 3daa3cf19d7b4473394dc35a82781a009eef683ab0f7b1e3db8b84d6dbc4c57e
SHA512 122151d9d773115ee6ee09e7e4add15ae0d98fc7e6af878b3314e5fc1a4945157d3fa83e189817f88ad81d2738f5f2edd42b97198aed6c98e5ec61938c06d352

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\da.pak

MD5 200a10ca45a629d1d0ee59c8700c3626
SHA1 380e3d3ab0a7f210d32e3ed0ae566f9db3802fcf
SHA256 a8fc454536f58e34d3aa379596b3641b68b92989c2c2000f573c834503d47f24
SHA512 d5855ed1d2bf9992c7945cb30a133c3e6547a6f22f714baa17a1292d85c64e383bec301b77c01243b561a015b24803f93b384a1fe66dcd8a25cfc855b10b743a

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ca.pak

MD5 ff3ae427de1581ca390b0b1f36f39f7d
SHA1 9f03512629c5042ef5a52e1a20f08ce5efa351aa
SHA256 3d98926176ea7e250ba58e304a3498d859cf66b9a123498f177300a109f2cf07
SHA512 c6b458415ad16cbe3c3463deb32ca0a1039447e4e170a37581d0945f2cef07068dd37bcc45df49a5507d26fbe2dc26988f7ec50eb7a26f3c0691602440238ff2

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\bn.pak

MD5 4be5823c75fcc1c1156a0c8813ccece8
SHA1 123f94f742f5cc20e9da173a611a5f0052253469
SHA256 21b1ab4beab7b420234b18c41fa48d6ce4bf26d5da89e8b235d6e56f74fc2e2d
SHA512 fb3263004a4dac70c1d03be6a9ab984d7d04889b5614a1ccf655f3a76961698dab6dff1c059bb6832487530472be29771e01ae8cc665a19aae4b0f6913b56683

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\de.pak

MD5 5fce111d16298b7352dce5e116f18d27
SHA1 f5097d5d3939870e3399d04a415e339c0d94a2e2
SHA256 2505f0b9993eb9acb000678fc4616ef1bf19348ab98ff354683ddd51d5ca43bb
SHA512 24ad6cf180b4ec132bb57500523462ae9480cee710fe33e71835336ec5f1d06deac27e9d03cebfd09cbf2e46cee0fe93063921bef79087ff51cf99e07afbbda9

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\en-US.pak

MD5 0ea050358326e9ba2fd06751a7b2bad2
SHA1 3610b9d4c370af456bf8d1447417ba5194fb6a85
SHA256 55fd1b71a47b6d4a81240240fd24e12c3dd7b986924ecc11afd7d21e7717a49f
SHA512 d10d047be9629608f89afbbc115ece521af4ea1a7529832943b67441bff2fcd698feefe6df6296c306b399c55acf84dfa0734447f5f64063f2e1ecebbbc8edf3

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\es.pak

MD5 17cf466b44a9b3ff9232d298b0d351af
SHA1 3171e6fb16ec3c3a038d824a6ced6ba89c6a7a98
SHA256 bfd563b116a85bfcc1f0dd7373ce09f057d0c7a246f1213639f43b26611c4f03
SHA512 574d2247745415bcad2a8e43f9db06609dc160a84fa7833311d41260d6364d22663ff8ee55e0ed9184eb7abdd3ec8c251faa66185e9d069f542ae57abf8652e2

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\et.pak

MD5 e2e6b9dca370e0492cecabe8cf284975
SHA1 fbbeccce405dcf52bd495677a9cd9eca16532977
SHA256 2fdcee1405049d9b2e77914cea04bfcebb9013063783a89e10a19e227c566135
SHA512 2c88a375d176ec0392f5b73e3f3c1b61ab7361a2ffc7365579698bbf80ad1754a49ff854b5fb268317267b7e367fc8aaa52c012de33812201689426511b925f7

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\es-419.pak

MD5 b69c517bcc9dcacd327b8601a1ad85fb
SHA1 0065beafe7e12673010fe1009729baf507565e05
SHA256 f86e76bda0de5749f30eb7c4eda26d4f4daf7ea307ac4785cad33836e45535e9
SHA512 f4b2fb7f1d728351a7e98fb888dbdd560d84e6471d50ee700f443f549d958fa059be961d0a7e66de56057699b5c674dfc03996da55b09c48635d26f437f9e338

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\en-GB.pak

MD5 f65acb944ce633180762095ec6a48e31
SHA1 ba5cc1fa02a1c6055f5a6bebe1aeb993e3844590
SHA256 87e534f1d0a4b32bd9ae207e167f87499bdf1e05c5a7c173fc3aacfdcb0073d8
SHA512 11655eeedd381c2629c34c72a106da1130dfbe6d50e7c8d32a29feb5c4c677a3606b4615f904e029c1703d6745fa61b959e50e928022f596aeea29bf2d2a65e4

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\el.pak

MD5 5d65998959e4a5ffadd4b59bd95e649d
SHA1 279668a833a995aa1f86ae3c880b05b874d278fd
SHA256 73fd71845722470acf551d6c187731bb14886f88f75d257dbd696552c3a83ad3
SHA512 f530428a41652fa42b3d53116483fc036c69f08d06e77097846f0227447ecb2a91b4e1aced743302b3f688869f611c498bd4ccfa980f5588093321181ae141e3

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\fil.pak

MD5 fcba5a4988b87771b4c784fe13209b44
SHA1 2781cd227fd305f6a448156c99d742c622a945de
SHA256 75bd5b252c6629f9eb30c00006c9270e341d12cb94679d334cbff7d35a28d37a
SHA512 bf483c68a6cc236fe5f45ab7982df951f13be571838fef13a5da3a201c98e26dbbaaa3ccb18950d6bc823797590f2fd3caba65b63b6cc9fe11c3123532323286

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\he.pak

MD5 a68fa2b08e442b05874dca64b65470da
SHA1 d79593cf29572a491b4f56680ec9f1bcce7f312f
SHA256 ddfc635cf22dd117b28929b196a46554d21656c60a7eb4ce35dde84a80032dc0
SHA512 b80328e2b4043decd45fc95c6ac4192e550ed21398563c7a8135be50ececa01a0f762cccbabd37265f14c25a0f4d63b6cb7ab98996533cd743fbbff4d195df6c

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\gu.pak

MD5 b54152f1794aac7d270f5cfbb7a020d5
SHA1 d14f3feb7206468be4abec39fcd14cb4d3fbf561
SHA256 b23b8f24e6a0a5267f4704f82dbbe5bd4ba34a3878a883bdbd9680f6512a2201
SHA512 8ec8fefdac754b6049b045985b754a4308ded71d79f43925a302076610fa8a69f29fe764ac5acf65618d684fe73097862f4b9b43c8d21f410ce7e94adf78120a

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\fr.pak

MD5 42433f8f6044f028ce65cd90a0080fbb
SHA1 7f3036c2def226d9a9cc040b723b07117e72ab3b
SHA256 784b1588645351fdb98fcba9cffa1afae84961e71fcfbf5b80c0b8cc29cff69f
SHA512 2363435ec520d0e80599149a628aee0011cbeb8cc8ebd44942a52030c92b72e7077b51edf65057af0c4ea0a56d78b6266edfa62873dfdde09be0356f68cb4aa0

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\fi.pak

MD5 5d693a7021eb7c4aef053bd0954b9fdb
SHA1 8500954dc82f8212fcb6e58db128e650479bbbe9
SHA256 c2b0402222e9e877618f908518d9bc62bca45ea4167734ce93f36382cb30f2cd
SHA512 425f5889fe6b1b3a38eface19419642cba5d03657a33a9a85eb457ac2882075f1e73f58d036ef459f3001e8f717b92df08d761d865711c3b2b560727841a9827

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\fa.pak

MD5 d764a7eac41aec2bcd9704f2a3e2122f
SHA1 88477fb426640c27dd95db6fc3cf4d0150a9b097
SHA256 0a174961cacce870d6eec050f1e41dd44155e583db7093f1caa33822d8c471f6
SHA512 50f59426fe77d48b79b5f502ffe46a3b7f591b3a7f42b6282b60997f766edba1f756783c40a9d3104a22ad9f7a8f930b9cf72d635ef88401daf272d69e2f69d6

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\hi.pak

MD5 fefa6262231aff9dc0d2421990a3b634
SHA1 24eaf51449c77164b3128894949317e1d79112be
SHA256 69277e0864383fd2a975d1dce2df1a3763685ea52acc10401530e31f03c4e7cc
SHA512 7b31d1b6f9a48a0743c0639d3e7a80687973fe76f3e0717d6721571a696feee53e4af327661e4febb8a6702a42b9d1112e7ab259d8d6dea7827b2d61a67f4149

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\hu.pak

MD5 2f761b20258c04cc9e3335451160b33a
SHA1 2144a0cf0e994f3b7b030fc8c51584b4c1af11d0
SHA256 af4b5654ccf418e5bd34e2850c63e4e73c85eb06da1cbe75207743ecb70135b8
SHA512 b605c0dc34cb070afce84b4d189be63f976f60626f73f0258b52d169dbea59e338a54bb75f801f6c95203dcc179fdb284d3a836cf1420a6f77efa165e1bbb4cb

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ja.pak

MD5 f84e728b97f1766e1cd24800a409a411
SHA1 c42bd9849b5e5510e56dacf06a8ce126bfd00744
SHA256 4beeabf6962e1e5b042dedbc45d21d3786c331a3ab1f3f3f51f75fe9ed8811ee
SHA512 769cd214f19d735a06dc7eef8db23f6b3302e0daeccfbcd6405c9aa251ca24392fe6cdfad9ab9273c8c38ab763a502f2204b48526e10cf2c3439ab6544698f9c

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\kn.pak

MD5 58218cff338a420a4ce74a5414559782
SHA1 07c944732d5a2cc9b9b8bb90a78be4892630db22
SHA256 938bdd9eb4c5e278739a103c7bf435db41c3524de718e30f3d66ae60f8ce02b3
SHA512 ecd54a261a39843d51bd9198029d141b233a6b7d652c8afdabb5b44019cf869b1d9505d411e0ef3de7365255579e1ae2cda0677d91071a566c6509e09c32efa8

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\it.pak

MD5 7872fe9c01ce9eca8f0358fe718d5582
SHA1 7ba1adeda4f2dc7467b9af81f22b00ee9c633ba5
SHA256 3f9cf91feacbd3a8e18930aa536ae0c2097e8f3b56da1f356a6243ba27b9df26
SHA512 268264a2b7048d52f90e6b3b6704b848980c99d89937326359759411a529b97e024b9dc93bfedf90b84aa642681bc162f566f4fc5f48e8d007897a218496ed36

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\id.pak

MD5 c83b246a36389f1087d32e801091559c
SHA1 8a7d1d417868611ca3706a0d829c3b8f9774fcfc
SHA256 f2761928e6a189ad28183304a5d56fb1c51f03cca5f315112b7b8722b781546f
SHA512 ba39a82fc9a379f0f83f107876dfee73b4bf2f0e35b7c683002015dc3740c52402d0a5d3eb19cba383c17b07abee807c47a7c27e278c0db6847612097ef9161e

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\hr.pak

MD5 6249233aff4a7a2cab1a01681f3b555d
SHA1 62892f7cc147063bcfd097df52512c4caa39247a
SHA256 a6cc5da8b3b46f2a327de8f39c18a8a9b58031e1a0484321e2cebe397c30f29b
SHA512 23ae48ea57fcf4a43ac558131ddf6c001104e44840ae44f1324ee7af3f434d6279ed2c7e50fbedd04f419b3f15ae973f6d8ecb0c602faa449e64a62249d6203d

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\lt.pak

MD5 ea646ce51bd07999529fb719ddf063d5
SHA1 94fee802cc876e5d2b722d1872c7ed927a14c33f
SHA256 af5ea09e52a33451c43dbcee0028ff0a19bce6877c00f2643b8fa1f9d060ef90
SHA512 58d0beb8d91825785dd4c0ad08070a04554cbad39b443cb9cc8b2747a8257a5295febfc4484dd3e7a3ede86859bcebbcb176a112016fd07c64be1d856bd39678

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\mr.pak

MD5 4768c4daf4ce9ffdeb3d11ce64e0f3ec
SHA1 e4eebd9c013f0a7857b6678ddd76e51535f82102
SHA256 d1332150da50884e0caaf78c36117c0d5958e4b3ea067e3dfe7ae157fec01de3
SHA512 e60771b5e55defc66df1c6043f4f3214b71cff1509d928029bb3a13bcd3c3b665ddfd1426db300d08c1d978c5f62881ce37d64252c264c495e1b015ff11fe22b

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ml.pak

MD5 4ada3d6afca7a3536ca56766921a2e11
SHA1 22445c79906d71f75486c767e22562fd28fbae24
SHA256 901c7e8006d1e73a7e8146b383f54df5d90ea622f0ec4cb5660019acb8433d4a
SHA512 4ad124e2e57693592403b73d05993fb46b1bc1dfc50d0ab326ae96cd1c1461cd1cd1b4e8ca4445cede3f7ff12278d07b3a138201e9028dddb31e2b4d8b151748

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\lv.pak

MD5 a49f706e800b0679551442f2e98dad4f
SHA1 e3b505f693c111113fb47c436a8637e8f552fe95
SHA256 ebade538cf0ca8de4878f5ff703a18050d7494dd97e2cba8b0a0f27fe397d468
SHA512 a1f02ef0682727324b7a4f2eecc4bec3b6e363589c39d3ad63c92d9ef36a6f81c7ebf2ff68922f1966e8635a19aa38d109880526502f9a6c1a240c4272409556

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ko.pak

MD5 fa3c8f5c1f1ee523c3f9d566ddb2be24
SHA1 171133dfe6c2200157b9f21e1bab690632f2ba64
SHA256 a02ddb9e195a9aff301f2e23c7abc41baf526e5f14cd4dbf15c55c5c5c78a09d
SHA512 5482a964ccd9ad951338cd09cd8f2f76acfe8516a73d2bea6390c9fac17d532a2ed47fd50642b6d9d7b1313cb688c3a997068cd71b9b985e423c0054fbcb4daa

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\nb.pak

MD5 509da8911c1d7564aac0613fa0e73403
SHA1 b70ed8edaeb574c80c9b59cabe7f5e3f98719e78
SHA256 a1b1cb1af7ffe3af713e423bffed0e15e475733143c4ba06abc87d6ea0731456
SHA512 176fca10ecc65e27439ac8ec35bdd2aa08cc9b674b7bd6c5b1909fec786668a6d8b33d718ca7807de323ff3b8b7107de82c57aa71ac9e7079f2a37610fc0969a

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ms.pak

MD5 3dd48aca5a1b1f54abee583b28b03da7
SHA1 d42b7e2252776a7e960a7aef6b849fe6f6c8cbfb
SHA256 9d1353d27c77b38e18f22e4719f8781dd6c126f86f6a84ff5170d28a202aca7e
SHA512 f190939c13c2d1ab318084dca42d8132b723a4bba775ef547944675f7db37497bfb45c2391b792091ee4416bddff7bef25f3f707ba1346c5f7ebab7fef410c8c

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\pl.pak

MD5 1685f404ad1bff6cf94480786edf8dbb
SHA1 20c6c80a4309b56d2d424adc30c3b91331c8948d
SHA256 de614454a8d36409c4ac9aa03bad2ae0c4d964a12e36362efda2c83a59781e87
SHA512 b60e5c1b079ca3f46bef5e6ac5dbde1fdde54a6c210db6972b7d595a12d5ba6675192f047b8b067b3f1f9ee98ba5c15a1f069571c9692a5fd199ae93086b2647

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\nl.pak

MD5 be1acc31a045ac01087c89bcc3b26328
SHA1 f6cf150336b5202ed6fa2ad7123e5f82ec1c5106
SHA256 f3e044dd9bf6cdd0f406b12ba28b492c06937a7c046a801ddeac24750f172a9e
SHA512 f2a47f18ad953437d5bf61ff245a2bb5814f8d9d19c9265ea90d6e01489f997a68d754546700c6429f337760358594049dddcb1123b650eee6f0b0e95e252695

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\sk.pak

MD5 e61d8cdf7f7fe4dada93a04ed91a9b83
SHA1 8553d0345be95d506a21c4e62149858feca51f56
SHA256 9b87ea25180bb8dddab69359d41d594f1a594f87ec75eb201f6bca6ac87b488e
SHA512 cf73149982c81e26d1c3bd73cb1cf6d4b1c8ac59d5e0c1777e92d420bc56e78fcaf737da785578cb95d2e8b61c1d8a828a0eead147b5934eb764b64f6e91adc0

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ru.pak

MD5 0a7e71f5efb94f8527c2a6750d2d2490
SHA1 c449c1b7f56fd5a1f7b536672309b2dd98da080e
SHA256 8558b5ae8a8052b5514ce4dfce04ace907ec54037a0236ee42890f8864a5f92c
SHA512 fc6be5ddd2407a5e59fc47020728b5f3bf85e9ebf7e80e3582f2701752e9dae523cb8a58c1785c52df9b0b169ab8646a9db1eb7cecabb588058bb70cbe113a0e

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ro.pak

MD5 c93f9732b24292d5b4e9fb5076127107
SHA1 9ba57f6ad8437405588d86548efb02945a530f03
SHA256 d01a6caf125cecb2bc232a00039c4c8422c88b2d5ec374c89a6cb0117e8ef33f
SHA512 c51015b24b1a73540648b4338da33783e7e4685317a60f64566cb3eb2366a4bd27114f96db1541f553e626f15ffbc95bec78f562e93613de935509e76ddc2aee

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\pt-PT.pak

MD5 86a155a0df0c9b5fec50e57546050bb8
SHA1 e14e1d956da30115ca80c694a5d0c781e085426d
SHA256 4387bddfbfe69542dbdc3c423362116bc34481cfb20b0311bab65186f571e87c
SHA512 2719c673b2dc4d8dba8dea6f589c4a43fd771b2783bcc78a1d387549f72fb1355163885dd68eb286d72737d7676df228647d1ad632e8599093aa845800861cee

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\pt-BR.pak

MD5 8634e12029fc824c1d68d4cffce1e523
SHA1 fb78bb73fb7d1bc9364a6ad509e4e3ef0a965b9c
SHA256 b5ef49a16803eaa39971f54285e8fe4f7ce126ad725edb99f8a521d121dbc517
SHA512 18d3209a7c76fed698b7342d875c3c4dab554771fc1c639006c20554d7074655795889c6bb0bdc5413f2b9ce226b8564c3a569280b11199f91eb209a9eb16f6b

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\sv.pak

MD5 52be946c5512d40a8c4e1add4d37ee9a
SHA1 d0b8fdfaa572cd72b7ee15f6d3fe4c5cc0acce72
SHA256 b49021f35acd74a67af3d77ac9e4d938d9a54918ac3a9ec4e38e192f2cc9af32
SHA512 6f0a53a83e2819370fb5ed4e77e08fc01942d141e90d88152f5fb6a4e38de2f2dd07864e00d50ed18d1320d9cf827d22829218837822f6c6f34770a01a10a1af

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\sr.pak

MD5 755d73be3227055ef6cc084cdf8e2c2b
SHA1 b1894b1a8e53393d75907dfb2e88806581fc00a8
SHA256 8c31d207616b081e016a5df4e67dabfabe37072f1bcda1cdaa64ea4d935ee694
SHA512 79029204f641d07b9d729715ff1cfb0d396353729fbf40bbcb25a7dff3c843a9a054d7e38849aa1c87ef2014d83e864c1cd30b8265a7928778ead690dd4e0a93

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\sl.pak

MD5 f0cbfe15d823895ef5443367b906d51a
SHA1 06706edfd6fd9d3ed04f571cef89fcc3a81c33d9
SHA256 8493fae950d7caa3556d0f39fa992ec85c2ab6ab58ae5250a6fedee09f5e89f8
SHA512 bebc78688aab7fe6cc9b09469410bb49cac32b7f240b499abc5eb9aaa8cb4cef44fa3c71840102a6a854913b6bc3e9a473769487fb51eaee1a0973daf63c9004

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\th.pak

MD5 821e1c0cd7ac4cc96e047df5f9b741d5
SHA1 cdbe922b53e89c801ed6596392f852f14dbd5be4
SHA256 2da181190b745bb7d5f6cb296d86ff87cc6dcf66404e9d991d74434ab47e4bff
SHA512 cd85f3a28c69d0c6d6a2d61eeafb6b24ae991e0ba55cbc5adde966de172111e77c6b11992d6e17c6cd1d1f2f138813cf74eba41b60ed5b3a7a77df9b789ab08f

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ur.pak

MD5 12cadb58e2cf3d01fb9bf1e9632a7b85
SHA1 c26507bf4bfd247ad51622314357a2f3ccf0f60c
SHA256 4ecf19c5a4eadd8909ff709803204cac4607590572b3ae6e3cf23c20e5b7476c
SHA512 6266f68ccc1b73b3a3944a43615ba23be266cd65f12a080d2331f609a182d8eee2b0553719071ff7f111dc38b92a544bac08f24efc26068032c7ff89da46d50d

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\vi.pak

MD5 5238502d80387898467b5a6564d2e197
SHA1 574afdaca5f77f0470c218d0d945f76b38c0c192
SHA256 760436664a06f4c716991f45e17e00645738e8d1c46cd04a116dea8d1dedb5aa
SHA512 fea65ff62f13cd42c425c5055813277b9a0565c515c5ca8db4a4c8505b57f56a8df52d8e201355fa33d65b7d243cf2e6b1796e81c2daeee027dfafa7b86b6c55

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\uk.pak

MD5 8f20598d3c126890390195bb643ece95
SHA1 f2735743e167f40c4a116c8f6a2ddb4e2cb6e44c
SHA256 13a00f4232ce3c58ec32b87e3b81207038ae0d1812a4f579151a6e2d8dd1793f
SHA512 42c70a4170c80c512a264f9193c33e1a8270aeea637f2ded5faf5d7d19efca24bdf97e64a50a21dc92d19311704bd6e058b0d1f212870a52f26058217ecc7efa

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\tr.pak

MD5 ef23040bf284ad019f7e85bf1a4b66d5
SHA1 7d119fda04b876aff2b3c3dbb8da6410ff1b0122
SHA256 25387c543be8057f77d05fb6e19991f954b1d8ff47b369ed15cb23541ac8df6c
SHA512 b5e7e4787f26b9e2ec0672709f2bc06d01075e4b5d298352ff79edba39e3bce2eae60c65a597b051ecb2f964b89061a8f409bb6a4cdbd3383b00d0aa5b81ebb2

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\te.pak

MD5 3dedb30de69864333e68f5ee77ef19c1
SHA1 859642c33bcb6c8df0fe7d9ae7d947f4c278cbcc
SHA256 439375bcd7b6533e08c8a73db25dc35e434b0d9fd9e4ace323d6847af7142b2b
SHA512 c15fd0e4bab18f62cae773b85b5d85d66369712d5c5c51f8ef38858de1164bd6f7e11b916eaa5262d7d08eefebf98efd4b3536a9fb1198ca26f38e1881414831

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\ta.pak

MD5 42ee2510d5a0adaaf7159b1f5ac2f6ac
SHA1 677a50f6371766400fd5d3c24f3cf4e5271c8fda
SHA256 5f591d92c509269b7af0501621499e01a411f1f306c014670b562d1e5341bbe3
SHA512 f2427a67b825263c469d85b99e9ee221c5dd8cd377c7276bf3408a2218dfafd1df1a75ae2f5a7a7e6220003159f55d8709d62301f662df0df2e64514fba15d01

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\sw.pak

MD5 98dd12a836df0e3967b8fcf44b18f8c4
SHA1 4762b7f8e5fd1b92c6984b76d4e965c32389cc05
SHA256 c8f6cd8602059e6fd7a1289b9a268d4ddaa1c2ecdef7a9d05ec4bde9bfd9c444
SHA512 f2046fe9ece161b6e39bf94c347e920ed3eaac7d05846270ed847011e319cc61d0ba01c4e80b603edd9e5ae4e3461029627a9a913a10180a311d373ad07520fc

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar

MD5 0aaa8024392a0b4f7ab3a280cd1a131e
SHA1 47678349f3e727302a93ff83df6f064817744278
SHA256 8cd9974eadac6fb9c5e3d46af246af858c9a1ffe950efb5635a5b2b5c4a6c179
SHA512 9a8d5e3a2ee00b1101af6c298c6479bd74b0de82672d223683e574f2a303a6f1a01dae319840b79a14a0bc05e5381a81e8b4d2ed3401467388a7d623dc570a12

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\zh-TW.pak

MD5 40004fc419866d484f8e05767c57bb7b
SHA1 8fffde55f401c477c77e1c26ce024ac9d22589a7
SHA256 0724dd6f642f15f198780405ffbe08303da6263ea13e73a6cf5ab2ca59e8ec72
SHA512 627009933056b71b921f18ee0af567a24d29b1af23b1333b700c15a05ed78e0c0c09b89579108876108a214458951a8d57376c98632a34b2ee59af6adae0deae

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\locales\zh-CN.pak

MD5 d5ccef2d737df79adbbbfe4843a4a1ef
SHA1 26c4c4b4eedf1c620737c996b76ecf5d154ab7c0
SHA256 1ca7a26aff7c36a98a9d96550a5f77d15f4bbc546b8d16f7160c1531ac028595
SHA512 0feee9eba045aa1ea390b7e1ba8d2c3966db295e758ebfb7e912d3e224edb12c5a749247f7d5f6498a69ffde30d140db1b587ae42e58fd47ce153b186e238d2d

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\dist\index.js

MD5 0b33e83d33b01a51625a0fdcbef42ce3
SHA1 1c29d999ff7da39426b97f2eb31a3d83db8f5fc7
SHA256 a7ff0225cb5ebcbef8499c6c8ac2be924f584eb375dacb1d8bd3dc6540b510f2
SHA512 1d04caf4fc2e876bdf2a089ae938a41fe4d3f2928aa846709bafd2de236fa8c754fcc84d7e8a5f5734bc1cecc04b395ab9d2114945b35e8c85cd3b9ee8f9799c

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\package.json

MD5 83a6b767cd4ade2116654eb0a90fec3c
SHA1 07a0f29ddb1c8a48947ee05bb4d6ec3d2abe1df9
SHA256 59f4704391d2247b2a8d029d7338566d47d2ff0cd7477c49343efe93475f7a12
SHA512 404ed15686b7d611ba8aeac12e706af75a876502c51e40e48a598d05a9ac89f88902b2830a5c679f9bb7931f5c33bb10da3a32753fdb8c71a9d7b4346a1be8d0

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\LICENSE

MD5 7bd114b023fa6209fb7b02150a202ccc
SHA1 4451515f9d7b16ce8983abb4e85609fe4162c4d4
SHA256 455dda47a3fc2f58ab06d8e526f490ec43d0fc23a5ea80dd0942644397316d9b
SHA512 87ee4dc1da13937055eade250f1f8a357f549c709b9659258c137009060080aca5cfd979890a7b2d662083f4c646cce9af6e20774b58541af9e712fb5f4f1c60

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\main.cpp

MD5 88934cc736b505ada3d07afe22083568
SHA1 6d1d112f4e7fc943dc5c9ce5ad2f32154aeb2f3a
SHA256 1ada21451bab629832372d519e366bfb08c80facfefe5a40c76a4f10a697c905
SHA512 9f45386cba32d13a50360916b0c2f240e43cba5983a86ad80f85c75cd8e6ac2c6b931992842a736e84e234b91fc46a7a66824a3a2748f474cf1bbd22ec138a99

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_win.cpp

MD5 4a55597a2c7466278439452bb708b822
SHA1 eaadcda8f410f2dd1fd9522fd7a2221624dd1713
SHA256 da37b02fb0babb651244479ea019d229fff1c41ecde74bc06335b5e603d9b30e
SHA512 b20efe8026de41dd8c13c6f844455cacc13fa80bc3dd41fef422fb178054a7c8d6f14af8b1d6928e52648ab95a793aee1f996dc2aceead3aa8d317a99aad23bb

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_not_supported.cpp

MD5 c510e65ebcb2fa7c00712e770ec8c692
SHA1 ca1ea3c8340dcf69f344d5eaa884631eef37472b
SHA256 7c03cec11c438b6d2512239477d9f1b45d6e16763122a3a36458ab339f50d3c4
SHA512 b0b312426b4409c80b45a0f3337069be9870e050dc8b55184fb2bc63532c247089c8d35cbd1f12f0bd2bd38d581566faa74a6469b548a1ad7d837285ad37c178

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\src\dpapi_addon.h

MD5 ea1e5899ec0210d7de4ce325d1d94022
SHA1 464da48d40547cb08a67a1ed38cb0ae8369f2f42
SHA256 18280b1135123aff82fbf4188a5aadfc9a5d6fffad9309f72f347f380f2da550
SHA512 6dae672ea822a7dc5e42914def21c019c0fa8aeaf1c27c155b78312d8a33a63ae9a1910dd32b72760578671780b8c37b91ff5e1f6588f08c7fbaaff80d8fb6fd

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\package.json

MD5 174bf28fccd7fdb6f0766f31fac3060d
SHA1 655f465658957fbdf935fcb7df0b97c93807147b
SHA256 91008a93e604674024bd65569670af5b01f1e4caf86cde50835ee58f59a5dc61
SHA512 fa1be386a3d74767731aa5ad44ff4d89fb456e7feabde2a6e6f238ed4608a80962cadd6b7ff96f15e306a8e819221b66051fa5a7b0658ad52a2efb488492ff83

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\LICENSE

MD5 79558839a9db3e807e4ae6f8cd100c1c
SHA1 ae3dbcee04c86fbc589fcf2547d4aaaeb41db3c2
SHA256 7686f81e580cd6774f609a2d8a41b2cebdf79bc30e6b46c3efff5a656158981c
SHA512 b42c93f2b097afa6e09d79ed045b4dd293df2c29d91dda5dda04084d3329b721a6aa92a6ad6714564386a7928e9af9195ac310deecd37a93bb04b6a6f744be46

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite-autoconf-3440200.tar.gz

MD5 c02f40fd4f809ced95096250adc5764a
SHA1 8398dd159f3a1fd8f1c5edf02c687512eaab69e4
SHA256 1c6719a148bc41cf0f2bbbe3926d7ce3f5ca09d878f1246fcc20767b175bb407
SHA512 59ad55df15eb84430f5286db2e5ceddd6ca1fc207a6343546a365c0c1baf20258e96c53d2ad48b50385608d03de09a692ae834cb78a39d1a48cb36a05722e402

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\extract.js

MD5 f0a82a6a6043bf87899114337c67df6c
SHA1 a906c146eb0a359742ff85c1d96a095bd0dd95fd
SHA256 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
SHA512 d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\common-sqlite.gypi

MD5 0ad55ae01864df3767d7b61678bd326e
SHA1 ffedcc19095fd54f8619f00f55074f275ceddfd6
SHA256 4d65f2899fb54955218f28ec358a2cad2c2074a7b43f862933c6a35e69ae0632
SHA512 aaee895d110d67e87ed1e8ed6557b060a0575f466a947a4f59cc9d111381e1af6aa54d432233716c78f146168d548a726fed1eab2b3f09bb71e0ae7f4fdc69e3

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\deps\sqlite3.gyp

MD5 0e4d1d898d697ec33a9ad8a27f0483bf
SHA1 1505f707a17f35723cd268744c189d8df47bb3a3
SHA256 8793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
SHA512 c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3.js

MD5 275019a4199a84cfd18abd0f1ae497aa
SHA1 8601683f9b6206e525e4a087a7cca40d07828fd8
SHA256 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
SHA512 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\trace.js

MD5 e5c2de3c74bc66d4906bb34591859a5f
SHA1 37ec527d9798d43898108080506126b4146334e7
SHA256 d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
SHA512 e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\lib\sqlite3-binding.js

MD5 8582b2dcaed9c5a6f3b7cfe150545254
SHA1 14667874e0bfbe4ffc951f3e4bec7c5cf44e5a81
SHA256 762c7a74d7f92860a3873487b68e89f654a21d2aaeae9524eab5de9c65e66a9c
SHA512 22ec4df7697322b23ae2e73c692ed5c925d50fde2b7e72bfc2d5dd873e2da51834b920dea7c67cca5733e8a3f5e603805762e8be238c651aa40290452843411d

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\statement.h

MD5 0b81c9be1dc0ff314182399cdc301aea
SHA1 7433b86711d132a4df826bae80e58801a3eb74c9
SHA256 605633ba0fb1922c16aa5fbfffed52a097f29bf31cee7190d810c24c02de515b
SHA512 9cf986538d048a48b9f020fc51f994f25168540db35bdb0314744fdec80a45ba99064bc35fe76b35918753c2886d4466fdd7e36b25838c6039f712e5ac7d81b3

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\macros.h

MD5 b60768ed9dd86a1116e3bcc95ff9387d
SHA1 c057a7eebba8ce61e27267930a8526ab54920aa3
SHA256 c25be1861bd8e8457300b218f5fa0bba734f9d1f92b47d3b6ab8ee7c1862ccbe
SHA512 84e0670128f1d8712e703b6e4b684b904a8081886c9739c63b71962e5d465ac569b16cb0db74cb41dc015a64dcc1e3a9a20b0cf7f54d4320713cc0f49e0f7363

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\threading.h

MD5 f2a075d3101c2bf109d94f8c65b4ecb5
SHA1 d48294aec0b7aeb03cf5d56a9912e704b9e90bf6
SHA256 e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
SHA512 d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\gcc-preinclude.h

MD5 55a9165c6720727b6ec6cb815b026deb
SHA1 e737e117bdefa5838834f342d2c51e8009011008
SHA256 9d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
SHA512 79ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\database.h

MD5 de31ab62b7068aea6cffb22b54a435bb
SHA1 7fd98864c970caa9c60cfc4ce1e77d736b5b5231
SHA256 8521f458b206ed8f9bf79e2bd869da0a35054b4be44d6ea8c371db207eccb283
SHA512 598491103564b024012da39ac31f54cf39f10da789cd5b17af44e93042d9526b9ffd4867112c5f9755cb4ada398bf5429f01dda6c1bbc5137bea545c3c88453b

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\backup.h

MD5 29dd2fca11a4e0776c49140ecac95ce9
SHA1 837cfbc391c7faad304e745fc48ae9693afaf433
SHA256 556ba9af78010f41bc6b5b806743dc728bc181934bf8a7c6e5d606f9b8c7a2e9
SHA512 5785667b9c49d4f4320022c98e0567a412b48a790c99569261c12b8738bde0b4949d3998e2b375540ede2ff1d861cad859780ade796b71d4d1d692e1ed449021

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\src\async.h

MD5 e8c5e5c02d87e6af4455ff2c59c3588b
SHA1 a0de928c621bb9a71ba9cf002e0f0726e4db7c0e
SHA256 cce55c56b41cb493ebd43b232ff8ffc9f5a180f5bab2d10372eca6780eb105f6
SHA512 ed96889e0d1d5263fb8fed7a4966905b9812c007fbb04b733cadbe84edc7179015b9967ff5f48816ff2c97acf4a5b4792a35cee1f8fce23e5fdc797f8ee0c762

C:\Users\Admin\AppData\Local\Temp\nsgD533.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d2lao4e1.y0e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4884-729-0x000001DB7A060000-0x000001DB7A082000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@primno\dpapi\dist\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\@primno\dpapi\dist\index.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:29

Platform

win7-20241010-en

Max time kernel

122s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\ltmain.sh

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\ltmain.sh

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\ltmain.sh

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sqlite-autoconf-3440200\ltmain.sh"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 627c9f4fa3c0b9a3e7108a4c24d8fdb6
SHA1 5472ff9c5647ba96109903a7473972919db29667
SHA256 aa982986e8fe17933585a3b5d028f0b9d986953bb28734b5b84ea8cd723054a6
SHA512 be432b4bbb0b66a651ceb9f2028afced860742770547432bc7d153dec8c47d6423cd299b0835a1e402682b9009ed62c4860ecf3524a0ffacb98e2511fba463ee