Malware Analysis Report

2024-12-08 02:31

Sample ID 230810-rsv35sfd5w
Target 4107cc7c0473fe9a9b674c399e7f4e5f319367b61745105ed0a29b1472c50c7a
SHA256 4107cc7c0473fe9a9b674c399e7f4e5f319367b61745105ed0a29b1472c50c7a
Tags
r77
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4107cc7c0473fe9a9b674c399e7f4e5f319367b61745105ed0a29b1472c50c7a

Threat Level: Known bad

The file 4107cc7c0473fe9a9b674c399e7f4e5f319367b61745105ed0a29b1472c50c7a was found to be: Known bad.

Malicious Activity Summary

r77

r77 rootkit payload

R77 family

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 14:27

Signatures

R77 family

r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-08-10 14:27

Reported

2023-08-10 14:30

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe

"C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 flingtrainer.com udp
US 104.26.0.11:443 flingtrainer.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.222.33.142:80 x2.c.lencr.org tcp
US 8.8.8.8:53 11.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/1984-133-0x00007FFF16F10000-0x00007FFF179D1000-memory.dmp

memory/1984-135-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

memory/1984-134-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

memory/1984-136-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

memory/1984-137-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

memory/1984-138-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

memory/1984-139-0x000001EED31E0000-0x000001EED31E8000-memory.dmp

memory/1984-140-0x000001EED3870000-0x000001EED38A8000-memory.dmp

memory/1984-141-0x000001EED3200000-0x000001EED320E000-memory.dmp

memory/1984-154-0x00007FFF16F10000-0x00007FFF179D1000-memory.dmp

memory/1984-155-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

memory/1984-156-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

memory/1984-157-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

memory/1984-158-0x000001EECEDB0000-0x000001EECEDC0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-08-10 14:27

Reported

2023-08-10 14:30

Platform

win7-20230712-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\www.3dmgame.com.url

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\3dmgame.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\3dmgame.com\Total = "200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "107" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\3dmgame.com\Total = "190" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\3dmgame.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\3dmgame.com\Total = "107" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000a85636222541f4c396dcdbda46663686bcce0a64a7cfc24cf887d3b20dcbf9eb000000000e8000000002000020000000d6763fd35849f822b3b78354bbc1df12b74d7743983f822e2870f542b84a3e07900000008288d875311e65173df50b6e63882d2b9387194e3e9d4bbcaaa3257a7992097967de7fc1593b7e2e07bc9f6e077132192ca8a68cc58c08ab244f3f748255d16031aad85e61333c0880a1d85a4a191564953237f06693c22098bf4cf60b48a62d114f6d28a204f6cb5a2238178c70903784817aaddb1674ab8656a9e400423c85f69ec99a9bfcc24ece14d5cb4ae93f28400000006b4aad7d2efcd270642ccf2539d8003accc489b53e8fbc264cf8774c65fafe6cf79d93b02243e2b5567e57b81455345ac8f7b795f6f6f2b394e347d701f75bf3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\3dmgame.com\Total = "170" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.3dmgame.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.3dmgame.com\ = "44" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\gtimg.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.3dmgame.com\ = "190" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.3dmgame.com\ = "170" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\gtimg.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000ac364e5f67814741aa75d3bd0b71058d3081d7f5c3bbc6480ad7984ff8977f17000000000e8000000002000020000000c03c7139b12bf4caa2bbc8884aa132cb716ed665106de26a4dac4c4169a85b27200000006c830beaeacdf20e9b28a2049e63938b6547f9236481a63f42a6b9ee72d7d2ea4000000002961ca1e718bb0f64c8674c9ce72f630aecb9ce0eb62af32d8c5954e92cb88c4b79a679cec0da46895178b88be8212b700b11f3759b340efc5b6b218d5519da C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04ddc0397cbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.3dmgame.com\ = "200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397839549" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{195F4A91-378A-11EE-BA1B-72E7016CB537} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.3dmgame.com\ = "107" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "44" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\3dmgame.com\Total = "44" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "170" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "190" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\www.3dmgame.com.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.3dmgame.com udp
CN 180.101.45.57:80 www.3dmgame.com tcp
CN 180.101.45.57:80 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
US 8.8.8.8:53 dup.baidustatic.com udp
US 8.8.8.8:53 yx.3dmgame.com udp
US 8.8.8.8:53 img.3dmgame.com udp
US 8.8.8.8:53 shop.3dmgame.com udp
US 8.8.8.8:53 syimg.3dmgame.com udp
US 8.8.8.8:53 olimg.3dmgame.com udp
US 8.8.8.8:53 my.3dmgame.com udp
US 8.8.8.8:53 ssl.captcha.qq.com udp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 157.255.220.168:443 ssl.captcha.qq.com tcp
CN 157.255.220.168:443 ssl.captcha.qq.com tcp
CN 119.188.176.49:443 dup.baidustatic.com tcp
CN 119.188.176.49:443 dup.baidustatic.com tcp
CN 180.101.45.92:443 my.3dmgame.com tcp
CN 180.101.45.92:443 my.3dmgame.com tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
NL 47.246.48.205:80 ocsp.digicert.cn tcp
NL 47.246.48.205:80 ocsp.digicert.cn tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 14.29.101.169:443 olimg.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 14.29.101.160:443 olimg.3dmgame.com tcp
CN 14.29.101.160:443 olimg.3dmgame.com tcp
US 8.8.8.8:53 pos.baidu.com udp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 182.61.200.109:443 pos.baidu.com tcp
CN 182.61.200.109:443 pos.baidu.com tcp
US 8.8.8.8:53 wn.pos.baidu.com udp
US 8.8.8.8:53 unmc.cdn.bcebos.com udp
CN 182.61.62.32:443 wn.pos.baidu.com tcp
CN 182.61.62.32:443 wn.pos.baidu.com tcp
CN 182.61.62.32:443 wn.pos.baidu.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 106.225.194.38:443 unmc.cdn.bcebos.com tcp
CN 106.225.194.38:443 unmc.cdn.bcebos.com tcp
CN 106.225.194.38:443 unmc.cdn.bcebos.com tcp
CN 106.225.194.38:443 unmc.cdn.bcebos.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 106.225.194.38:443 unmc.cdn.bcebos.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
US 8.8.8.8:53 eclick.baidu.com udp
US 8.8.8.8:53 ocsp.sectigochina.com udp
US 8.8.8.8:53 ocsp.sectigochina.com udp
US 8.8.8.8:53 ocsp.sectigochina.com udp
CN 111.206.208.190:443 eclick.baidu.com tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
US 104.18.8.141:80 ocsp.sectigochina.com tcp
US 104.18.8.141:80 ocsp.sectigochina.com tcp
US 104.18.8.141:80 ocsp.sectigochina.com tcp
CN 14.29.101.168:443 olimg.3dmgame.com tcp
US 8.8.8.8:53 captcha.gtimg.com udp
US 8.8.8.8:53 hm.baidu.com udp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
NL 43.152.42.232:443 captcha.gtimg.com tcp
NL 43.152.42.232:443 captcha.gtimg.com tcp
US 8.8.8.8:53 tam.cdn-go.cn udp
SG 203.205.155.69:443 tam.cdn-go.cn tcp
SG 203.205.155.69:443 tam.cdn-go.cn tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 183.136.140.24:443 img.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
US 8.8.8.8:53 syly.3dmgame.com udp
US 8.8.8.8:53 tj.shwswl.cn udp
CN 14.29.101.160:443 tj.shwswl.cn tcp
CN 14.29.101.160:443 tj.shwswl.cn tcp
CN 14.29.101.160:443 tj.shwswl.cn tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 14.29.101.160:443 tj.shwswl.cn tcp
CN 14.29.101.160:443 tj.shwswl.cn tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 14.29.101.168:443 tj.shwswl.cn tcp
CN 14.29.101.168:443 tj.shwswl.cn tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
CN 14.29.101.168:443 tj.shwswl.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1744-54-0x00000000001C0000-0x00000000001D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26DFEA863B576461CB57142C94618B19

MD5 ec71bedd30e901730acf3fdecb9cd111
SHA1 d7ee2bbf780746b052da5a9f913661911e696b89
SHA256 30d94f48d7d16195756073d73b2958033ae5fc85631f94ca8e64e22b44faac2d
SHA512 15bc50313b46da084528a588e281d3641381dfc34dc30a5ed12589cdfd460c62221ecebf4ac300da0d4880f385918f5a27e763e16da69955b1ec5bb8ac37f372

C:\Users\Admin\AppData\Local\Temp\CabDAB7.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 570ad449724fac42cc43e003f5cd6b27
SHA1 410e34bc569ab01926fb901a40c7823f8e7cb84c
SHA256 1f74088684f58b3f0c40d9628d0710277277dbae574d7841acb0c09a4b78988f
SHA512 4597fb49c8525d6385e8e75ac24b4a644f1ab685bd0885a85355482efa0adfa6146a9833a7d1865e9a3fb2dc24e744d4a0b85d2e1c17df486b30cf91612b22fb

C:\Users\Admin\AppData\Local\Temp\TarDAE9.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1YVF44Q\se[1].gif

MD5 ad4b0f606e0f8465bc4c4c170b37e1a3
SHA1 50b30fd5f87c85fe5cba2635cb83316ca71250d7
SHA256 cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda
SHA512 ebfe0c0df4bcc167d5cb6ebdd379f9083df62bef63a23818e1c6adf0f64b65467ea58b7cd4d03cf0a1b1a2b07fb7b969bf35f25f1f8538cc65cf3eebdf8a0910

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\19SSI8KP\www.3dmgame[1].xml

MD5 0e742677405855e56285e58f860b886d
SHA1 54c240cf9716d51d81463775a18f069baf34bf2c
SHA256 0b06a2213c2adc385c99fb954936c710fa2c94febcd9d7b07b3cfe438a2f034f
SHA512 a476bdc3bcbce1332af7f25420fdff6fdfcf3412c81ff6532cebfa109c10419283ed236290e7c653c0afc6959abdec539ddc2550226a17330028fc051f93bf46

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\19SSI8KP\www.3dmgame[1].xml

MD5 1366024ed2fb343a5fc7251036ca8f1e
SHA1 66e1d29219166e696b82fcc9517829078b9098bb
SHA256 a4ea420c674d86205b13943cf92440aedc39d50eac28dbe08020e226a1c84798
SHA512 901da423de35eb6f0a59939bd17b6a06a8927d1dc72b64da2e71cbba14103fb0c27635c3a2058d92c421c169b12dca2a6499eadb54a2e0e662abbec346f82421

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1YVF44Q\favicon[2].ico

MD5 b62511a2f7a054b05f7cc6b3d5a45a3c
SHA1 5e9421f05125cbb7fe90e80940ec370a392534f9
SHA256 4f426cd2a3826f5cdd4ba3dcfd90c66ef2742ac2281ae5a067f74fe4db9634d1
SHA512 3b40a15873b60667b25e4beecd62a9fce66937ee17be4b1af65ce08da5c800bab503e81edc28cf1e2953151343102b22aa13c4ce0d4768604cbdb93567ac0fbe

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\uns8mem\imagestore.dat

MD5 c5668a2ac2403fa012cfc6c83f37980f
SHA1 24af51329d00de917dd7d6f96ca41ef340ed99f4
SHA256 c0a4ee69f6540181a7e9a50fd1b4ae0bc816e0dd6db726f38a016a6f739788b7
SHA512 50f3b8a285d61db9f637609dc833e5e6efcbe182b3083eb83d1e6636a09538ad96cdb7ce670fae73f891ecee521860c3f31b1da238d46a85f12fa29000528537

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24ad7b2064294dc489491ef1da3e4661
SHA1 f144798af6ac286796711299e14f8fd3c6f2d243
SHA256 526a68278aa48c0e8a0b8f823ab56e70820586db2276d1f0c0efe19f2fca632a
SHA512 48ac325407bdce34ae4ca8ca5fa8b29f83f45f756a3363690e70bd192cabd064c4124403a2eda31bb57c981e6404fd53c33d2724588d206aeba2c58574fa3740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 214c0a308a9b6e648557eddf15ce28f2
SHA1 e62d01d248f676f895db81ebb595ec139dc37b6c
SHA256 9d9b20d3117edfde49847fcd3d2f486990f15e722a7b7672eda0315a56075722
SHA512 deda64978573bca7622ce7c8d688c7676d7da423316e2d7dd66fe7c80439fe9be9efa05e8ff5be6f8922d7f1d486ac019df6b282bda23ca1b622303c4a9c5442

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 333968eb5b116c5c4348b1f6feb60cc0
SHA1 5701ac7f5698cc11986b05d1d4f96f7d36c72c69
SHA256 298d089e446bab28d139ee55b25b20e5114845d365637913cb4fade52397641c
SHA512 90a7cccb117709436cd1ebd70be799f786c0ab804fce781b68d076a4789178fc02265647c97eb3f3dede2bc4b6fdf4deff52b490af5cb7f015b9e91028f0fa7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbed126feb2452b3dcbc4092b4f60126
SHA1 e21fe0937f0dac54e7b06e446c3533e7e656677c
SHA256 e0c5fc1d2f52eec63a9aff704487ffcf233244d36af85658b7c9d99e9bba74ac
SHA512 1a1fb615dcd95789f80fc1ace7248ff631dee9667afd790ee30f408c424d66e7c4f6e4813102d09c97158280456112a18ddcbfaf054fdf2c93edcf08431e5876

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8907dc546ff4c282776e284c9243ad0
SHA1 d9b75835f98799af92fe4493555bde7e460833ce
SHA256 588c0f2ffeff90d0e673d414fa1e521c5a858e5b1164719dc83074c2a8bf64d4
SHA512 d6474607cd2ad9c95d18803104aeaa8413d6b49ac7645614e2c3e1a0d702e0ea34dbb84ab3ebacb6276d6e4dfa4665d73a148ade8d953c816242294edac79a01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32cb24701f54a46c513ff382cd3ae152
SHA1 c2e8db2f8aea22dbd1fcb75cad89ab36eb018000
SHA256 ef5363bf223bd9b7da262408a06fc7545f3f4be5c25b62dfd081087a83e3bc6d
SHA512 2ffbe30f3e19a014cbc35b53285518a26a9267d5f7af753815b66d8e0242d29e0199314f0b251c248bd0536aa4b69ef5ec8c4faa6ed35745fbffc05512761721

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adabfc6231d05969eb1d2b7d83621e73
SHA1 de26c6cc95a76c9e0c0fdcee49943d558074241e
SHA256 55b726b182d0b8ad701e7b839f9669113de01fb99b47a63a28c41c41253389dc
SHA512 5ad3d9e491cb41bf1bb391d4049e70f2d1ed160cd5dd047c74d8991f5ac7e742f1f9ca9ad2caf3449d0c37ae4d53b6bd0214cf513870a31b0a15ef76c265a91f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c815ab02df83e47a08523f88bdc821b2
SHA1 6107b4596dcd6bd5306bed4b6f1a79042bd580f7
SHA256 6cbbb17f3f0ccfaa1612281aba62239488b0cc282672ebf1fdf6ddd5df41b0da
SHA512 3c25464fbce27826a2da7f1b8e718bd93fa66fe7e27de9a5c547441964ffe214313f02b6a50835d5dbe5a0fad875c0302bdc960183bd212352480e202a26f94c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 45fa83c0e5866d203422c65c15dce140
SHA1 f6a6eb7b25120817275cee397a14a449c511bc34
SHA256 c040545835e6ca09989d940991438609a3da0061422c9a7fbc5cba190ff26cfd
SHA512 25e6774c5e6bad1809e1441be63d53cf73990ce4e1245c1012af4f9202031eb4135a5e70dceb346aa92b2bba343cd2c7ed4febd9d1da5987a0f2521edbca571e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f0bf54879d012979d661f612c3f396d
SHA1 c09addcc60479afac313e1cf1c697c4299d0554e
SHA256 6afc900b51047e44a7daea17ac51c3a2d51af48645c68fb3dd2cbcd30a59b3f8
SHA512 e63c792f33f8aa82bcf4ce61851e6a09a7f7cb49958df706ef18e7705c215057ffefade535b066f47ab442db5b961e6e6314bc4ade6c8ee36a80606ebaee2d24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b528a5836eb752f46d134f638f421dbb
SHA1 5cff8989c7bcd55ed0dabd5773c5d9407a78f9fe
SHA256 2562c6cafaf6f1bb481b77738e696f6bf85cfadfeafeca45380d837dde0f7f5c
SHA512 f9031451163e762768923cfbf2402a828069e006b0b93da16a44ccf639e4c4d57f927d94c0aa0476cd9dd3af65c48af90d4ea5b7c30d33d9f28fef6d9ea0b16d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b76b9dcdee593a7006f41b496b62fc3
SHA1 5ca0cdc972400d1e39fa5c0b6027e2c2dd1d2b27
SHA256 144ce373cb77a4460e259479485c471d5ce0a5498cfdf4ee5910f8b1a09996ea
SHA512 20522a3a2798a9548ebfca3277419e8d4ee707b52cfddb0f3480cadc848dceb157a946bad1b8ea401713fa30691f58f0918af38e19f1439bfc0d2ca0516c17d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad7e14fdd3e9af8748f6f63573254206
SHA1 08de5a03643ce9db8c7850803cde6a367e6d46ae
SHA256 7a262ef23a60eccdbb7007a8f33a971853fa35c8e155ad4be35ad1f1eebffff7
SHA512 b297824b687c4a1a8fbbb85380f6ceb95e3c2d4810a43023111d32f7a5adcb79bae6535732c9b31ee656b752351c75b615f3959f245519e223a4b30568f94842

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4c59709f7886d095753397aed2f652a
SHA1 e0f9b7aa311a35befe622821633d7840ff01312b
SHA256 2210dfdd691d9491e703aa6375c636183ab50985028d98eba89d7ff1e74026db
SHA512 c30590a7b7952d8c096f89ebf8a7f992674b0a08424223d5de86982c95f2d7f392c39c13845fed33c0badfc4b5ae88e42a449d20561dfde08de4109223a17778

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b755819dc470d2f7fb6e6a9edcf7428
SHA1 25c9eeefe64feecabc11865c1b2ef9dd33790cce
SHA256 311171b1f7cd40f2da98e0dd60cc145bc2c80d99a15bea47f160f7e2e898acc3
SHA512 7e1363c66ed3c73974e31a47ee5c4c02e64c152d284a13787f481fa889a07f501790285491067409382c1f5cb73d6f330615685ea5f8f4abc029e7c8c7d53c64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e93741156b051cc5a03fef0e9ed1fa68
SHA1 cda53c7414316d9739376b290d15798647bdaea2
SHA256 b37c52b80db74bbf6d9740163f9574be1e230338c12052243302b38ea0287d55
SHA512 b17831744edd300d3406bf7e79253a2a7ddf5e0fba9ebc8c5028163af788dd31abe673af421c11d2528d9ed9c00b01cbd96f3a382e8fd9297fdd1dc85bdd9096

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b0d60f3a29a6968a9259ac72325f580
SHA1 53a8eac2b0098174cdb48bf4a50e3ecb34cb3ef3
SHA256 f37325fe1a01507992fb39c0cf2ba5e524c719df002151ead8f27ae46c6670a1
SHA512 bd1fced72edc5c8d8d9c5a236db51bb17e55a1995ab3c70ddd6bba0c64d94e10825e0de7ebf04caefbaab16be0593b3f5658f9809f0999ec260a16efcf10ee6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 618cb191ed5200313ee62aebc67537cf
SHA1 898f8be12e028ad7c8161ec577964664ddfdb378
SHA256 ecbc9b47d62d66af6d530ca3f920fc1dea0906af8787a455d004bd5d577c2550
SHA512 da0584fd5bc84c18860a9c0bfed6866df4221c1e1b0e0fb05a2a1f739b886eb025815ce0d6d745b2c993728a3c9576adad4507c63ec24fb907e58b58f9e62b99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0ab7866d3fae781a1fe2c49bc433487
SHA1 4ed953f48b1aa3333818a171a772a7dc6c321f29
SHA256 1f50cd1ac2b7e3a061d842d96a9a954826225b1c65d9b473b21ab60f2ff60a7c
SHA512 d50e5e985f5ab2b1bb4eca8c3b8bf12a53ae4c55f02eacfa618fb176ad8db8a64ecccb36e62a72b54e7696488d84387f4da29b100de98502288695169f3a9ca3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63741d39ee94a90452791c30a0c54a79
SHA1 7ca689f62fc122c0b35dba0d692aa3e324261dce
SHA256 ab45e373304127796c4e4cd2ddb86c0fc6ca32bfa5081b542e77c42d4aca3a30
SHA512 d60cc7c73be4ab507c3b18c3d43f2a969bf7bffc1740154c13959622f3cd494dcec62468fa6da9b7a3187f02d6069517e6475bf12c248e0f5547a6a574792e65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfd173130ababa6821de28f8b5d5da98
SHA1 25a5c04583e095f9a65b11eb3464b04698e7542d
SHA256 4b9055874331abff6caaf42b119505258cd20f929c5e25469fb3747c62038c69
SHA512 8b632fc8a1852db578244e7ae072251cfcfeaa4824b9bb33dc1edf28edcf1bca8ab29dc40877f74a9c284137f48440e86b7b739a1db37ebea799fba897d5603c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5554222d715d18e3d24fb7dbaa7a3ed5
SHA1 aa85f48fda1509b3d94e5a06542cc32f98e3b7f6
SHA256 f19be53b2b45bc3f9bfbee8e4b5ac83e99474947919a01c33883c8633b085756
SHA512 e905d331e849dbae76c03d073cf80703ab4a54d0cadaf935bd60555613fabff1166b22540b04735b2386d7ea752da31bebeb3719031d94be95b90d1d4036d8a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91bd7163e5332dd1e5ecec022e5f43bd
SHA1 e14c283e9c2fb3a4886f2aebedebe10589263d9f
SHA256 6cba2db0ba2bf1a9edc21ba749f3874bf501ad4459dd564837dba61f108a2659
SHA512 6542dacbef3f57492bf6c2a7e79bcb3a08677085e82206a885a4a5eaa650711d529d936ba4fe1203bbef9f5dd3b6e38c585131f4fc1013c5a2e4af806273abb6

Analysis: behavioral6

Detonation Overview

Submitted

2023-08-10 14:27

Reported

2023-08-10 14:30

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\www.3dmgame.com.url

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 4608 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 4608 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\www.3dmgame.com.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.3dmgame.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb0b2546f8,0x7ffb0b254708,0x7ffb0b254718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3096 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3096 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1915258349770911433,8848219435791182478,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 www.3dmgame.com udp
CN 180.101.45.57:80 www.3dmgame.com tcp
CN 180.101.45.57:80 www.3dmgame.com tcp
CN 180.101.45.57:80 www.3dmgame.com tcp
US 8.8.8.8:53 57.45.101.180.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
CN 180.101.45.57:443 www.3dmgame.com tcp
CN 180.101.45.57:443 www.3dmgame.com tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 dup.baidustatic.com udp
CN 119.188.176.49:443 dup.baidustatic.com tcp
CN 119.188.176.49:443 dup.baidustatic.com tcp
US 8.8.8.8:53 yx.3dmgame.com udp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 180.101.45.243:443 yx.3dmgame.com tcp
US 8.8.8.8:53 img.3dmgame.com udp
US 8.8.8.8:53 49.176.188.119.in-addr.arpa udp
US 8.8.8.8:53 pos.baidu.com udp
CN 180.101.45.243:443 yx.3dmgame.com tcp
CN 182.61.200.109:443 pos.baidu.com tcp
CN 182.61.200.109:443 pos.baidu.com tcp
US 8.8.8.8:53 243.45.101.180.in-addr.arpa udp
US 8.8.8.8:53 109.200.61.182.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
CN 115.231.173.56:443 img.3dmgame.com tcp
CN 115.231.173.56:443 img.3dmgame.com tcp
CN 115.231.173.56:443 img.3dmgame.com tcp
CN 115.231.173.56:443 img.3dmgame.com tcp
CN 115.231.173.56:443 img.3dmgame.com tcp
CN 115.231.173.56:443 img.3dmgame.com tcp
US 8.8.8.8:53 shop.3dmgame.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 56.173.231.115.in-addr.arpa udp
CN 43.248.191.98:443 shop.3dmgame.com tcp
CN 43.248.191.98:443 shop.3dmgame.com tcp
US 8.8.8.8:53 unmc.cdn.bcebos.com udp
CN 171.107.86.38:443 unmc.cdn.bcebos.com tcp
CN 171.107.86.38:443 unmc.cdn.bcebos.com tcp
US 8.8.8.8:53 98.191.248.43.in-addr.arpa udp
CN 171.107.86.38:443 unmc.cdn.bcebos.com tcp
US 8.8.8.8:53 syimg.3dmgame.com udp
US 8.8.8.8:53 38.86.107.171.in-addr.arpa udp
CN 14.29.101.169:443 syimg.3dmgame.com tcp
CN 14.29.101.169:443 syimg.3dmgame.com tcp
CN 14.29.101.169:443 syimg.3dmgame.com tcp
US 8.8.8.8:53 my.3dmgame.com udp
US 8.8.8.8:53 ssl.captcha.qq.com udp
CN 14.29.101.169:443 syimg.3dmgame.com tcp
CN 222.187.238.81:443 my.3dmgame.com tcp
CN 157.255.220.168:443 ssl.captcha.qq.com tcp
US 8.8.8.8:53 169.101.29.14.in-addr.arpa udp
CN 222.187.238.81:443 my.3dmgame.com tcp
CN 157.255.220.168:443 ssl.captcha.qq.com tcp
CN 14.29.101.169:443 syimg.3dmgame.com tcp
CN 14.29.101.169:443 syimg.3dmgame.com tcp
US 8.8.8.8:53 81.238.187.222.in-addr.arpa udp
US 8.8.8.8:53 168.220.255.157.in-addr.arpa udp
US 8.8.8.8:53 olimg.3dmgame.com udp
US 8.8.8.8:53 eclick.baidu.com udp
CN 110.242.68.137:443 eclick.baidu.com tcp
CN 110.242.68.137:443 eclick.baidu.com tcp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 captcha.gtimg.com udp
US 8.8.8.8:53 137.68.242.110.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
NL 43.152.42.39:443 captcha.gtimg.com tcp
US 8.8.8.8:53 39.42.152.43.in-addr.arpa udp
US 8.8.8.8:53 191.46.235.103.in-addr.arpa udp
SG 150.109.90.57:443 tam.cdn-go.cn tcp
SG 150.109.90.57:443 tam.cdn-go.cn tcp
US 8.8.8.8:53 57.90.109.150.in-addr.arpa udp
US 8.8.8.8:53 syly.3dmgame.com udp
CN 14.29.101.169:443 syly.3dmgame.com tcp
US 8.8.8.8:53 tj.shwswl.cn udp
CN 14.29.101.160:443 tj.shwswl.cn tcp
CN 14.29.101.160:443 tj.shwswl.cn tcp
US 8.8.8.8:53 160.101.29.14.in-addr.arpa udp
CN 110.242.68.137:443 eclick.baidu.com tcp
CN 110.242.68.137:443 eclick.baidu.com tcp
CN 110.242.68.137:443 eclick.baidu.com tcp
CN 110.242.68.137:443 eclick.baidu.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b950ebe404eda736e529f1b0a975e8db
SHA1 4d2c020f1aa70e2bcb666a2dd144d1f3588430b8
SHA256 bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4
SHA512 6ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a

\??\pipe\LOCAL\crashpad_4608_FHRTZFVKUVSGSBFO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bdf7a85ca17829695f4c88831cef8b2d
SHA1 7f09b623bf024a878ccd41040a2192e9f611315e
SHA256 c1efe18a15161197e823f79936ef9558c670bb000829df34ea7ee7aec9aa4862
SHA512 e0448e1f70c61868cbb9b6bbecc5830cc78f3dd0a62179c64cc27a1fdda9c4128c11ceb80a0090fb3d87051592601829dc57d7b3681271f5d28b5148a85babc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fafa1b4a8b64c9e72486f9d67a36b8cf
SHA1 b4ca749410edadae9ff05dc92b3ddac53447c32f
SHA256 7ba65f9632db99fe78a12f5ef95aaddc3c4deea19c8777efb0ee7b343cdf688c
SHA512 c65beabdce3cbc0a3d500480a13bad472e8c2069837581ae3419bff798c037faa677d2aa11779aa6b010f1b925b6cde88b04cf030b54fae9271201d155e71d67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e26be9ce0f929ad129721b47eab1d5f9
SHA1 cf3c6d3e3468c93db0d6bf95e7405b8cf293fda7
SHA256 b2eccb88fd5d5d229dcd87b1ed2be124418f9a7cba39341b4144ea41eefd6c5b
SHA512 4291b2e0a3e3e3a2ceae1f5faf0086c048f293bbb35997eb145ee533efd56b93a0e73558bb1197405462831dce6785cef472c14f1b5a9dcb8f9e20b38873ce67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 ca36933e6dea7aa507a272121b34fdbb
SHA1 3b4741ca0308b345de5ecf6c3565b1dbacb0fb86
SHA256 fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d
SHA512 5a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3d952e43ee32bf70a2da164b32bef023
SHA1 16ff7619885520caa5fc31429f0b281657179dd2
SHA256 73c1e69274843939bdfa975a45779173f5fe7c5066eedefee25f94739ae9ca83
SHA512 80c3641b950b6f818d51eae61ce7a38895d3336599f44177aa3b68966272080c33657cd3b109e1ce52bb7e8c3f52b17a18a6886bebf594c4f692437bf6f3cc58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585f90.TMP

MD5 7aed9f576b138542d55be02be8e89455
SHA1 cac611736885e8d8d414e1d1cacd5d483c005a22
SHA256 cd464bf6107abdd5815dd9e6691d25acb7f57a4cbf8e45a9ec08c546f84eca62
SHA512 8125a79a7fdd8e0b5010308bd77a36ee7eee7a1b871e57a352eb33e6d9dd17954125c83a4c357201e9949bcc8df1161f9b9e34f7cc7b6fde9d8384a547c7a084

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6902443d52e99247d2de27802c6ad1a5
SHA1 c9120809c131641c240fee62b80840c24eead31a
SHA256 2678bba94655c3184e14a5f545f107dbb4b398cbd49426ba6d85f5c26362de1e
SHA512 9187a85bd39c8fb866fccb4d59963133f09bbcba3e54de13112f000a3c7dbcd6da3d02e33ab50f9cff778b1a54f65e442cd815d5d437ef843c491d112be44a95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 541c2c5d30e756bf5f433a2216bb777a
SHA1 7d30bfaa9bdd795b68e7da65d2b82efe28070cbd
SHA256 22b739a895e6af168b3552e3577d756768d782919f258cfd491880761f7fff3a
SHA512 3c86dd9ec5d7fc5385199f2ecf01da6fb3bedb4f296c482e64ce8c36e25e5d052b6d05f23af82de8e7d0538d5eff1ea1e679d444859b12e14c54581a2a1e7ac6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 43ecae1563d4a9e31c08bb9cbc47ecb3
SHA1 fe8551234d032468152f0a0ba893739ae2e75cb8
SHA256 c315f24c80ece793db3d2ca67b0b21e25ac8d03200c9a348096cfa3d8c2e906e
SHA512 18b15e0af4c71f836dfe51e6e0e59165357631171934a64bfa5eea5666cdb165d61f7f18f881bef35a06919ab56f8cb0016ce956821822dc9750de5ba19b0645

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 936623b60f3791289710c8286b65a8df
SHA1 5ee1f6db3d6d8d39956d3d4c4cec37c0d5ea72e5
SHA256 26c739e684fda81009ea1f6b80d5ef04828b7fbdf594d4e73189c39625579559
SHA512 054b3422ec6e679989155b6f50af7f24eb3700346a0807fbc071337df9835d37c284804e7efeecc4734d6366e7f70f88126d02819303613b7fc275a62ffaa676

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 29daabc566e66f6e55bbcc08a4c26c7b
SHA1 21fba23f5633bd0583743eb5394ff77c2c038a7b
SHA256 1bef05e88f9fe20dd7331512a6419b3dbd0e2674bd493ff5e14f655867e40b19
SHA512 d74557ad616ea61e0cfc4c72738cfc2decaf43a7119f739ccde3872a4bba7cbaec118cb7c675746e79b178b673b4ad3ba46232a0af09b1fc9ef99b6f97b5d7a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 14:27

Reported

2023-08-10 14:30

Platform

win7-20230712-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\2023年全部热门单机游戏及汉化下载.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\2023年全部热门单机游戏及汉化下载.url

Network

N/A

Files

memory/2212-54-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2212-55-0x00000000005C0000-0x00000000005C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 14:27

Reported

2023-08-10 14:30

Platform

win10v2004-20230703-en

Max time kernel

116s

Max time network

122s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\2023年全部热门单机游戏及汉化下载.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\2023年全部热门单机游戏及汉化下载.url

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.129.241.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-10 14:27

Reported

2023-08-10 14:30

Platform

win7-20230712-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe"

Signatures

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe

"C:\Users\Admin\AppData\Local\Temp\Baldurs Gate 3 v4.1.1 Plus 14 Trainer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 flingtrainer.com udp
US 172.67.72.29:443 flingtrainer.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 172.67.72.29:443 flingtrainer.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.222.33.142:80 x2.c.lencr.org tcp
NL 23.222.33.142:80 x2.c.lencr.org tcp

Files

memory/3056-54-0x00000000003D0000-0x0000000000404000-memory.dmp

memory/3056-55-0x00000000003D0000-0x0000000000404000-memory.dmp

memory/3056-56-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

memory/3056-57-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-58-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-59-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-60-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-61-0x0000000002180000-0x000000000218A000-memory.dmp

memory/3056-62-0x0000000002180000-0x000000000218A000-memory.dmp

memory/3056-63-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-67-0x000000001AFC0000-0x000000001B040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab85D5.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar872F.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e66108a9d12d0d183fae84cae18a0f42
SHA1 994ab08d648a380c71c882ba849dddeb7b577b5a
SHA256 a5bcc600bc96bd2e1755d13cc2a28c1bd0cf27da4eabb19e50c39049f1114386
SHA512 6f0d7756030e87852b5f7f89efb1c394596555f84a6a5caf5816dc791390e5fd01d972dd118cb1711d4634e688ae62a514c1dba16e4a4bf4e4a77b74577659f5

memory/3056-112-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb4e694ab7493710827f3014b37d9860
SHA1 f3c8e395119f8f80ed411c59315a91617c2bf89a
SHA256 53d897185ac11e9171fab6c73afdde38e497a45baf5b74daaac764062fede8d3
SHA512 288e75869f047320757f09cbc6b7357f0b193dc7d85a600e5bb0fbc1b77d3424b48fa76e4d2679aa5c4eb7f4b9161089f73ec0882161586b141807411d4abe53

memory/3056-180-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-181-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-182-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-183-0x000000001AFC0000-0x000000001B040000-memory.dmp

memory/3056-184-0x0000000002180000-0x000000000218A000-memory.dmp

memory/3056-185-0x0000000002180000-0x000000000218A000-memory.dmp

memory/3056-186-0x000000001AFC0000-0x000000001B040000-memory.dmp