Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 20, 2023, 9:44 a.m.	Nov. 20, 2023, 9:52 a.m.

Size	61.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`47437b8a25c634828593283d0679063a`
SHA256	`32dbc7826b9ba7e6efa3eba6aaac1ceac8afb5eefb72644e9aa95f0ed8e8a95b`
CRC32	`BE55E9DF`
ssdeep	`1572864:6m6MrwnMt2uHPRNOMX5bXlaaftMz86vvJ60EGJ:p6MYcHPeMX5caGzV60EGJ`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer ftp_command - ftp command UPX_Zero - UPX packed file

updater3.exe "C:\Users\test22\AppData\Local\Temp\updater3.exe"
2084
- updater3.exe C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\updater3.exe
  2476
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (17 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:37 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:38 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:38 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:38 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:38 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:38 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:38 a.m.			0	0
IsDebuggerPresent Nov. 20, 2023, 9:38 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 20, 2023, 9:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 20, 2023, 9:38 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d ??0V8StackTraceId@v8_inspector@@QEAA@_KU?$pair@_J_J@__1@std@@@Z+0xa26669 Cr_z_adler32_combine-0x6a717 updater3+0x520dd89 @ 0x1447bdd89 ??0V8StackTraceId@v8_inspector@@QEAA@_KU?$pair@_J_J@__1@std@@@Z+0xa26689 Cr_z_adler32_combine-0x6a6f7 updater3+0x520dda9 @ 0x1447bdda9 GetMainTargetServices+0x3737e5 ??_7CommandLineAPIScope@V8InspectorSession@v8_inspector@@6B@-0x1bf381b updater3+0x5628ad5 @ 0x144bd8ad5 GetMainTargetServices+0x3736f0 ??_7CommandLineAPIScope@V8InspectorSession@v8_inspector@@6B@-0x1bf3910 updater3+0x56289e0 @ 0x144bd89e0 ?CheckCachedDataInvariants@ExternalOneByteStringResource@String@v8@@AEBAXXZ+0xd00 ?IsCacheable@ExternalStringResourceBase@String@v8@@UEBA_NXZ-0xf70 updater3+0x30f2f10 @ 0x1426a2f10 ?DijkstraMarkingBarrierRangeSlow@WriteBarrier@internal@cppgc@@CAXAEAVHeapHandle@3@PEBX_K2P6AXPEAVVisitor@3@1@Z@Z+0x315d52 Cr_z_adler32-0x1c03e updater3+0x37ac832 @ 0x142d5c832 ?DijkstraMarkingBarrierRangeSlow@WriteBarrier@internal@cppgc@@CAXAEAVHeapHandle@3@PEBX_K2P6AXPEAVVisitor@3@1@Z@Z+0x315793 Cr_z_adler32-0x1c5fd updater3+0x37ac273 @ 0x142d5c273 Cr_z_crc32+0x3ea0ff ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x52071 updater3+0x3bb2faf @ 0x143162faf uv_sleep+0x16e4a GetHandleVerifier-0x9446 updater3+0x1c964aa @ 0x1412464aa uv_sleep+0x16d5f GetHandleVerifier-0x9531 updater3+0x1c963bf @ 0x1412463bf uv_sleep+0x16ccd GetHandleVerifier-0x95c3 updater3+0x1c9632d @ 0x14124632d uv_fs_get_result+0x693b2f uv_os_getpid-0xe6b1 updater3+0x16e849f @ 0x140c9849f uv_fs_get_result+0x6936a9 uv_os_getpid-0xeb37 updater3+0x16e8019 @ 0x140c98019 uv_fs_get_result+0x694078 uv_os_getpid-0xe168 updater3+0x16e89e8 @ 0x140c989e8 Cr_z_crc32+0x9c75f ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x39fa11 updater3+0x386560f @ 0x142e1560f ?DijkstraMarkingBarrierRangeSlow@WriteBarrier@internal@cppgc@@CAXAEAVHeapHandle@3@PEBX_K2P6AXPEAVVisitor@3@1@Z@Z+0x302aa8 Cr_z_adler32-0x2f2e8 updater3+0x3799588 @ 0x142d49588 Cr_z_crc32+0x19e79d ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x29d9d3 updater3+0x396764d @ 0x142f1764d Cr_z_crc32+0x19dfb7 ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x29e1b9 updater3+0x3966e67 @ 0x142f16e67 Cr_z_crc32+0x19dd01 ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x29e46f updater3+0x3966bb1 @ 0x142f16bb1 ?FatalException@node@@YAXPEAVIsolate@v8@@AEBVTryCatch@3@@Z+0x68109 uv_random-0x2cfc77 updater3+0x28a33c9 @ 0x141e533c9 ?FatalException@node@@YAXPEAVIsolate@v8@@AEBVTryCatch@3@@Z+0x67ce8 uv_random-0x2d0098 updater3+0x28a2fa8 @ 0x141e52fa8 uv_os_getpid+0x3791 Cr_z_adler32_z-0x484af updater3+0x16fa2e1 @ 0x140caa2e1 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xe0000008 exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 121367392 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 121372592 registers.r11: 121369008 registers.r8: 0 registers.r9: 0 registers.rdx: 176 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1883615353 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 20, 2023, 9:38 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
??0V8StackTraceId@v8_inspector@@QEAA@_KU?$pair@_J_J@__1@std@@@Z+0xa26669 Cr_z_adler32_combine-0x6a717 updater3+0x520dd89 @ 0x1447bdd89
??0V8StackTraceId@v8_inspector@@QEAA@_KU?$pair@_J_J@__1@std@@@Z+0xa26689 Cr_z_adler32_combine-0x6a6f7 updater3+0x520dda9 @ 0x1447bdda9
GetMainTargetServices+0x3737e5 ??_7CommandLineAPIScope@V8InspectorSession@v8_inspector@@6B@-0x1bf381b updater3+0x5628ad5 @ 0x144bd8ad5
GetMainTargetServices+0x3736f0 ??_7CommandLineAPIScope@V8InspectorSession@v8_inspector@@6B@-0x1bf3910 updater3+0x56289e0 @ 0x144bd89e0
?CheckCachedDataInvariants@ExternalOneByteStringResource@String@v8@@AEBAXXZ+0xd00 ?IsCacheable@ExternalStringResourceBase@String@v8@@UEBA_NXZ-0xf70 updater3+0x30f2f10 @ 0x1426a2f10
?DijkstraMarkingBarrierRangeSlow@WriteBarrier@internal@cppgc@@CAXAEAVHeapHandle@3@PEBX_K2P6AXPEAVVisitor@3@1@Z@Z+0x315d52 Cr_z_adler32-0x1c03e updater3+0x37ac832 @ 0x142d5c832
?DijkstraMarkingBarrierRangeSlow@WriteBarrier@internal@cppgc@@CAXAEAVHeapHandle@3@PEBX_K2P6AXPEAVVisitor@3@1@Z@Z+0x315793 Cr_z_adler32-0x1c5fd updater3+0x37ac273 @ 0x142d5c273
Cr_z_crc32+0x3ea0ff ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x52071 updater3+0x3bb2faf @ 0x143162faf
uv_sleep+0x16e4a GetHandleVerifier-0x9446 updater3+0x1c964aa @ 0x1412464aa
uv_sleep+0x16d5f GetHandleVerifier-0x9531 updater3+0x1c963bf @ 0x1412463bf
uv_sleep+0x16ccd GetHandleVerifier-0x95c3 updater3+0x1c9632d @ 0x14124632d
uv_fs_get_result+0x693b2f uv_os_getpid-0xe6b1 updater3+0x16e849f @ 0x140c9849f
uv_fs_get_result+0x6936a9 uv_os_getpid-0xeb37 updater3+0x16e8019 @ 0x140c98019
uv_fs_get_result+0x694078 uv_os_getpid-0xe168 updater3+0x16e89e8 @ 0x140c989e8
Cr_z_crc32+0x9c75f ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x39fa11 updater3+0x386560f @ 0x142e1560f
?DijkstraMarkingBarrierRangeSlow@WriteBarrier@internal@cppgc@@CAXAEAVHeapHandle@3@PEBX_K2P6AXPEAVVisitor@3@1@Z@Z+0x302aa8 Cr_z_adler32-0x2f2e8 updater3+0x3799588 @ 0x142d49588
Cr_z_crc32+0x19e79d ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x29d9d3 updater3+0x396764d @ 0x142f1764d
Cr_z_crc32+0x19dfb7 ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x29e1b9 updater3+0x3966e67 @ 0x142f16e67
Cr_z_crc32+0x19dd01 ?Abort@WasmModuleObjectBuilderStreaming@v8@@QEAAXV?$MaybeLocal@VValue@v8@@@2@@Z-0x29e46f updater3+0x3966bb1 @ 0x142f16bb1
?FatalException@node@@YAXPEAVIsolate@v8@@AEBVTryCatch@3@@Z+0x68109 uv_random-0x2cfc77 updater3+0x28a33c9 @ 0x141e533c9
?FatalException@node@@YAXPEAVIsolate@v8@@AEBVTryCatch@3@@Z+0x67ce8 uv_random-0x2d0098 updater3+0x28a2fa8 @ 0x141e52fa8
uv_os_getpid+0x3791 Cr_z_adler32_z-0x484af updater3+0x16fa2e1 @ 0x140caa2e1
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0000008
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 121367392
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 121372592
registers.r11: 121369008
registers.r8: 0
registers.r9: 0
registers.rdx: 176
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1883615353
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 106 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 20, 2023, 9:44 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e5000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000047b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000c0084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (2 events)

description	updater3.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
description	explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (13 events)

file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\vulkan-1.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\libGLESv2.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\StdUtils.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\updater3.exe
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\ffmpeg.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\resources\elevate.exe
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\nsis7z.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\vk_swiftshader.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\swiftshader\libEGL.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\swiftshader\libGLESv2.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\libEGL.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\d3dcompiler_47.dll

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\nsis7z.dll
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\resources\elevate.exe
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\StdUtils.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\System.dll

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Alibaba	TrojanPSW:Win32/Stealer.9410a875
Kaspersky	Trojan-PSW.Win32.Stealer.buua
ZoneAlarm	Trojan-PSW.Win32.Stealer.buua
Tencent	Win32.Trojan-QQPass.QQRob.Adhl

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 20, 2023, 9:37 a.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000bfff0000 process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 20, 2023, 9:38 a.m.	flags: 0 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 20, 2023, 9:44 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\updater3.exe

Drops 60 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 60 events)

file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\chrome_200_percent.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\da.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\fr.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\hr.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\zh-TW.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\sw.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\th.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ru.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\resources\app.asar
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\es-419.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\pl.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\es.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\fi.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\te.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\lv.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\hi.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\tr.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\snapshot_blob.bin
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\he.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\resources.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\icudtl.dat
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\de.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\sv.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\en-GB.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\pt-PT.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\vi.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\bg.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\nl.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\bn.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ro.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ja.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\et.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\gu.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ms.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\fil.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ca.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\mr.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ta.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\cs.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\pt-BR.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\zh-CN.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\kn.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\fa.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\nb.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\lt.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\sr.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ml.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\hu.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\el.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\it.pak

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 152 events)

file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\resources.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\snapshot_blob.bin
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\chrome_100_percent.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\fa.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\fil.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\da.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\pt-BR.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\id.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\am.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\vk_swiftshader.dll
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\kn.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\LICENSE.electron.txt
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\th.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\updater3.exe
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\vulkan-1.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\fr.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\updater3.exe
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\ffmpeg.dll
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\lt.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\resources\app.asar
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ja.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\hi.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\da.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ko.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\libGLESv2.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\bn.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\vi.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\es.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\vk_swiftshader_icd.json
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\pl.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\StdUtils.dll
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\app-64.7z
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\de.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\chrome_100_percent.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\swiftshader\libEGL.dll
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\bn.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\d3dcompiler_47.dll
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\es-419.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\uk.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\et.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\vi.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\chrome_200_percent.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\hu.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\sv.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\en-US.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\sk.pak
file	C:\Users\test22\AppData\Local\Temp\nsfC9B4.tmp\7z-out\locales\pt-PT.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\ro.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\locales\te.pak
file	C:\Users\test22\AppData\Local\Temp\2YLot0gX3mmRYdPR1gWDIdybAKO\icudtl.dat

updater3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All