Malware Analysis Report

2024-10-24 17:05

Sample ID 240123-n5by9ahhgk
Target funni game.rar
SHA256 355bb7cd13e2b17a20c4956af0f402c107a186e95ad82864913b1849cc044939
Tags
persistence discovery pyinstaller crealstealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

355bb7cd13e2b17a20c4956af0f402c107a186e95ad82864913b1849cc044939

Threat Level: Known bad

The file funni game.rar was found to be: Known bad.

Malicious Activity Summary

persistence discovery pyinstaller crealstealer spyware stealer

Crealstealer family

An infostealer written in Python and packaged with PyInstaller.

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops startup file

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Blocklisted process makes network request

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Detects Pyinstaller

Enumerates processes with tasklist

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 11:59

Signatures

An infostealer written in Python and packaged with PyInstaller.

Description Indicator Process Target
N/A N/A N/A N/A

Crealstealer family

crealstealer

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

143s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\4.5\DefaultWsdlHelpGenerator.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\4.5\DefaultWsdlHelpGenerator.js"

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\funni game\money\UnityCrashHandler64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\funni game\money\UnityCrashHandler64.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\money\UnityCrashHandler64.exe"

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

85s

Max time network

90s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\UnityPlayer.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\UnityPlayer.dll",#1

Network

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231222-en

Max time kernel

84s

Max time network

91s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\VclStylesinno.dll",#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 4348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 4348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 4348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\VclStylesinno.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\VclStylesinno.dll",#1

Network

Files

memory/4348-0-0x0000000002670000-0x000000000298A000-memory.dmp

memory/4348-2-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-1-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/4348-3-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-4-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/4348-5-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-6-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-7-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/4348-9-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-8-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-11-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-10-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/4348-12-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-13-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/4348-14-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-15-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-16-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/4348-20-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-19-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/4348-21-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-17-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-18-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-22-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4348-23-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-24-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-26-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-27-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-29-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-30-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-32-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-33-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-34-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/4348-31-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/4348-38-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-42-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-46-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/4348-49-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

memory/4348-48-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-51-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-50-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-52-0x0000000002D00000-0x0000000002D01000-memory.dmp

memory/4348-47-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-45-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-43-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/4348-44-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-41-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-56-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-57-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-55-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/4348-54-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-53-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-60-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-59-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-58-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/4348-39-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-40-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/4348-37-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/4348-36-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-35-0x0000000002AA0000-0x0000000002BE0000-memory.dmp

memory/4348-28-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4348-25-0x0000000002A20000-0x0000000002A21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET9CAD.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET9CAD.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET9CAE.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET9CAE.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 eaa6b5ee297982a6a396354814006761
SHA1 780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256 d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512 ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 0a23038ea472ffc938366ef4099d6635
SHA1 6499d741776dc4a446c22ea11085842155b34176
SHA256 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512 dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 7672509436485121135c2a0e30b9e9ff
SHA1 f557022a9f42fe1303078093e389f21fb693c959
SHA256 d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512 e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

87s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe"

C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe

"C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe

MD5 843288fd72a1152b50b4e4b7344bb592
SHA1 648416c53721a85666abaf71c6682fcc1da70b48
SHA256 82c3e3423e48bafcdd726624eb7fd3e00674e50e4b6acdcac408fe8fae43b022
SHA512 04b61bb0a6e748ab78b1037db68bc9ec1745bb3efaca0b8fb6d99e01abbe08a67168cbf3f714b72daf00da26084ec6f6f707c3cd08fa8243023e6924719a4e41

C:\Windows\Temp\{1EE2A48F-F1C9-4584-9914-9051FB7593CC}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{1EE2A48F-F1C9-4584-9914-9051FB7593CC}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231222-en

Max time kernel

85s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x86.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x86.exe"

\??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe

c:\8fb80513af922e55f42912d619e0505e\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

\??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\??\c:\8fb80513af922e55f42912d619e0505e\SetupEngine.dll

MD5 2ce89b538356e670e62750b1f33bd0ac
SHA1 7d3617a83245b67330d989419fb34a77273cd4ea
SHA256 751321dc3254ead521ec8c09a6ca8ef2003b4b39e2d0c65227c6054cd19c5638
SHA512 9604e55920c3977e0dcdeae81ba3107fe8cce9b07eae5dee799d993029ea00fad16f6c3c71ea20d886fd3e28c5bdc54a4125286a9b28d3a2566ddb7325519f38

C:\8fb80513af922e55f42912d619e0505e\sqmapi.dll

MD5 522539538d30c7c65b7fb630e1e0d253
SHA1 2a24277b3a5bb0a23b22f5d2bb2960c908caa981
SHA256 1b6348f49c67b76f5ed1ba110e7dba1e4c8978ef44eb83752a09a0b7d7db8529
SHA512 4d9d89cfcf669afb7773b43a80d4fad62ad5f578ddffd1f40774fc083174a0a1f689a8e764b73a072630e92436ed8721d895c1c2a087d7e463aff14946a4f5c3

\??\c:\8fb80513af922e55f42912d619e0505e\sqmapi.dll

MD5 c4ac0aa1013c5f3a2a98c0e43b78a31b
SHA1 77fb9510e43e2751b043a6ddd95c10e5fd4274d6
SHA256 55a44e4943d0264aae6723be94ebefab3be2e2964582f16c4ffc54bdf49cc54f
SHA512 01b2a944d7e3b35036ec992a5d5a709c865d0ee7ad2a50cd53f3e15c257d405d6349078a097d50a240c76fa08d594a43e31dca48a5b134d733006c750f2dcb4d

C:\8fb80513af922e55f42912d619e0505e\SetupEngine.dll

MD5 60c6c41c760ffed24b2b38c79233e2df
SHA1 619b83ccf7a2d1c3fb8f7e4ac848e782cbaac5b1
SHA256 499817ea9bd1485a724a8237af10273048d176080e4ecb2ae751a42747a8a734
SHA512 95250841e0ac1d1618997edd681318893501f5f3a3b376f81e612395e972fbf42e53e1f0114cd0bd9060d84e1ff07c0a41c20c708cdc0bc6772d77259f9ff373

C:\Users\Admin\AppData\Local\Temp\Setup_20240123_120122165.html

MD5 80ec1f4bdacdf4a790163d4984651946
SHA1 5f39ab048a650dcf732f8976852c7eb53c83777a
SHA256 263a98685d9bbc8dd6e838880a7767aef6edb97701430294ffd498646c45bedf
SHA512 dd65367ba14edc41fa775ac604d76b8e627617e59eb8253dbdcb239c55c2950ac67b46cf4dd9561462a7f12d2c956b62529da35774e0057cb4be7f8ea0b58c5d

\??\c:\8fb80513af922e55f42912d619e0505e\DHTMLHeader.html

MD5 2f7c8f1228b8d6ae5674a5fc71f0eceb
SHA1 bf579f712fc4a92bfffb095dc47592d3d44b5cf5
SHA256 54693db0f0b9f0e64b1a40eaf31f6f661026ee4140c89b5610fcb850d9c3ac4d
SHA512 d5718f942e3165acd1cc7b27c9bcc46afb1115ab59d80aa3c0f16c17fd56acbd6296d8cd6e3f66e171497f5701e055148a4e7abcbe888ebccb5a7562ce60414a

\??\c:\8fb80513af922e55f42912d619e0505e\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

\??\c:\8fb80513af922e55f42912d619e0505e\ParameterInfo.xml

MD5 66590f13f4c9ba563a9180bdf25a5b80
SHA1 d6d9146faeec7824b8a09dd6978e5921cc151906
SHA256 bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f
SHA512 aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

\??\c:\8fb80513af922e55f42912d619e0505e\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

\??\c:\8fb80513af922e55f42912d619e0505e\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

\??\c:\8fb80513af922e55f42912d619e0505e\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\8fb80513af922e55f42912d619e0505e\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\8fb80513af922e55f42912d619e0505e\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\8fb80513af922e55f42912d619e0505e\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\8fb80513af922e55f42912d619e0505e\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\8fb80513af922e55f42912d619e0505e\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\8fb80513af922e55f42912d619e0505e\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\??\c:\8fb80513af922e55f42912d619e0505e\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\8fb80513af922e55f42912d619e0505e\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\8fb80513af922e55f42912d619e0505e\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

C:\8fb80513af922e55f42912d619e0505e\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\8fb80513af922e55f42912d619e0505e\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

memory/3368-97-0x0000000001390000-0x0000000001391000-memory.dmp

\??\c:\8fb80513af922e55f42912d619e0505e\graphics\stop.ico

MD5 5dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA1 4196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256 b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA512 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

\??\c:\8fb80513af922e55f42912d619e0505e\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\8fb80513af922e55f42912d619e0505e\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\8fb80513af922e55f42912d619e0505e\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

memory/3368-102-0x0000000001390000-0x0000000001391000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

81s

Max time network

89s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\2.0\DefaultWsdlHelpGenerator.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\2.0\DefaultWsdlHelpGenerator.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

84s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x64.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\2a4cb7d2edb3d89c624551\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\2a4cb7d2edb3d89c624551\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\2a4cb7d2edb3d89c624551\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x64.exe"

\??\c:\2a4cb7d2edb3d89c624551\Setup.exe

c:\2a4cb7d2edb3d89c624551\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\2a4cb7d2edb3d89c624551\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\??\c:\2a4cb7d2edb3d89c624551\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

\??\c:\2a4cb7d2edb3d89c624551\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\Setup_20240123_120123395.html

MD5 3d12d0b3ea908a6c067291db4acc9a60
SHA1 b9ecff5601fcbfe2baf63f0bd1c5945786f6dd16
SHA256 71e5ba74a5d40fd0e36ba0feb74d98d6d5952793ba70c21a1340f210975ff684
SHA512 514adb5ecf5d2a91d2710760a114f3b3345b62613ff51143f060e2c700e6fa93486d255a8f58868ee3dbc9f1570b02bb94886f4923b41a98926d445f2b046535

\??\c:\2a4cb7d2edb3d89c624551\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

\??\c:\2a4cb7d2edb3d89c624551\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

\??\c:\2a4cb7d2edb3d89c624551\ParameterInfo.xml

MD5 03e01a43300d94a371458e14d5e41781
SHA1 c5ac3cd50fae588ff1c258edae864040a200653c
SHA256 19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a
SHA512 e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb

\??\c:\2a4cb7d2edb3d89c624551\1041\LocalizedData.xml

MD5 6f86b79dbf15e810331df2ca77f1043a
SHA1 875ed8498c21f396cc96b638911c23858ece5b88
SHA256 f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f
SHA512 ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

\??\c:\2a4cb7d2edb3d89c624551\1040\LocalizedData.xml

MD5 fe6b23186c2d77f7612bf7b1018a9b2a
SHA1 1528ec7633e998f040d2d4c37ac8a7dc87f99817
SHA256 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a
SHA512 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

\??\c:\2a4cb7d2edb3d89c624551\1036\LocalizedData.xml

MD5 4ce519f7e9754ec03768edeedaeed926
SHA1 213ae458992bf2c5a255991441653c5141f41b89
SHA256 bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31
SHA512 8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510

\??\c:\2a4cb7d2edb3d89c624551\1031\LocalizedData.xml

MD5 b13ff959adc5c3e9c4ba4c4a76244464
SHA1 4df793626f41b92a5bc7c54757658ce30fdaeeb1
SHA256 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b
SHA512 de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

\??\c:\2a4cb7d2edb3d89c624551\1028\LocalizedData.xml

MD5 12df3535e4c4ef95a8cb03fd509b5874
SHA1 90b1f87ba02c1c89c159ebf0e1e700892b85dc39
SHA256 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119
SHA512 c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

\??\c:\2a4cb7d2edb3d89c624551\1033\LocalizedData.xml

MD5 5486ff60b072102ee3231fd743b290a1
SHA1 d8d8a1d6bf6adf1095158b3c9b0a296a037632d0
SHA256 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706
SHA512 ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

\??\c:\2a4cb7d2edb3d89c624551\3082\LocalizedData.xml

MD5 05a95593c61c744759e52caf5e13502e
SHA1 0054833d8a7a395a832e4c188c4d012301dd4090
SHA256 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1
SHA512 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

\??\c:\2a4cb7d2edb3d89c624551\2052\LocalizedData.xml

MD5 150b5c3d1b452dccbe8f1313fda1b18c
SHA1 7128b6b9e84d69c415808f1d325dd969b17914cc
SHA256 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2
SHA512 a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

\??\c:\2a4cb7d2edb3d89c624551\1049\LocalizedData.xml

MD5 1290be72ed991a3a800a6b2a124073b2
SHA1 dac09f9f2ccb3b273893b653f822e3dfc556d498
SHA256 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c
SHA512 c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

\??\c:\2a4cb7d2edb3d89c624551\1042\LocalizedData.xml

MD5 e87ad0b3bf73f3e76500f28e195f7dc0
SHA1 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc
SHA256 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070
SHA512 d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

\??\c:\2a4cb7d2edb3d89c624551\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

C:\2a4cb7d2edb3d89c624551\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\2a4cb7d2edb3d89c624551\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\??\c:\2a4cb7d2edb3d89c624551\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

memory/3728-97-0x0000000002400000-0x0000000002401000-memory.dmp

\??\c:\2a4cb7d2edb3d89c624551\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\2a4cb7d2edb3d89c624551\graphics\stop.ico

MD5 5dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA1 4196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256 b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA512 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

\??\c:\2a4cb7d2edb3d89c624551\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\2a4cb7d2edb3d89c624551\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

memory/3728-102-0x0000000002400000-0x0000000002401000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

83s

Max time network

88s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\EmbedRuntime\MonoPosixHelper.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\EmbedRuntime\MonoPosixHelper.dll",#1

Network

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

80s

Max time network

89s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\4.0\DefaultWsdlHelpGenerator.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\4.0\DefaultWsdlHelpGenerator.js"

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

85s

Max time network

125s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\xnafx40_redist.msi"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\xnafx40_redist.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

83s

Max time network

91s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\EmbedRuntime\mono-2.0-bdwgc.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\EmbedRuntime\mono-2.0-bdwgc.dll",#1

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

83s

Max time network

90s

Command Line

"C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\good game.exe C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe"

C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 104.237.62.211:443 api.ipify.org tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 104.237.62.211:443 api.ipify.org tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
FR 51.38.43.18:443 api.gofile.io tcp
FR 31.14.70.252:443 store10.gofile.io tcp
US 104.237.62.211:443 api.ipify.org tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 104.237.62.211:443 api.ipify.org tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26802\python310.dll

MD5 deaf0c0cc3369363b800d2e8e756a402
SHA1 3085778735dd8badad4e39df688139f4eed5f954
SHA256 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA512 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

C:\Users\Admin\AppData\Local\Temp\_MEI26802\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI26802\base_library.zip

MD5 611bc2d1220129c5b6ca0e950606f908
SHA1 ab21abfd2a51f96f24b250bf1775d323d27213a1
SHA256 2c5c35f0804612cd74a5c8375ef5d808cc72dd10313d19aabe6f9750fd9be6d7
SHA512 88a9530b2cc828401a0a1816e1364160c798fdcec9b0bee3bf49bd8e44e43961e3aed269afe52349f1bee00f620793db0dafbaff2adaf0b4143eca0309fb8f4e

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_ctypes.pyd

MD5 ca4cef051737b0e4e56b7d597238df94
SHA1 583df3f7ecade0252fdff608eb969439956f5c4a
SHA256 e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA512 17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

C:\Users\Admin\AppData\Local\Temp\_MEI26802\python3.DLL

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI26802\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_lzma.pyd

MD5 0a94c9f3d7728cf96326db3ab3646d40
SHA1 8081df1dca4a8520604e134672c4be79eb202d14
SHA256 0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31
SHA512 6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_bz2.pyd

MD5 bbe89cf70b64f38c67b7bf23c0ea8a48
SHA1 44577016e9c7b463a79b966b67c3ecc868957470
SHA256 775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723
SHA512 3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_socket.pyd

MD5 0f5e64e33f4d328ef11357635707d154
SHA1 8b6dcb4b9952b362f739a3f16ae96c44bea94a0e
SHA256 8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe
SHA512 4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

C:\Users\Admin\AppData\Local\Temp\_MEI26802\select.pyd

MD5 c119811a40667dca93dfe6faa418f47a
SHA1 113e792b7dcec4366fc273e80b1fc404c309074c
SHA256 8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7
SHA512 107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

C:\Users\Admin\AppData\Local\Temp\_MEI26802\pyexpat.pyd

MD5 43e5a1470c298ba773ac9fcf5d99e8f9
SHA1 06db03daf3194c9e492b2f406b38ed33a8c87ab3
SHA256 56984d43be27422d31d8ece87d0abda2c0662ea2ff22af755e49e3462a5f8b65
SHA512 a5a1ebb34091ea17c8f0e7748004558d13807fdc16529bc6f8f6c6a3a586ee997bf72333590dc451d78d9812ef8adfa7deabab6c614fce537f56fa38ce669cfc

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_queue.pyd

MD5 52d0a6009d3de40f4fa6ec61db98c45c
SHA1 5083a2aff5bcce07c80409646347c63d2a87bd25
SHA256 007bcf19d9b036a7e73f5ef31f39bfb1910f72c9c10e4a1b0658352cfe7a8b75
SHA512 cd552a38efaa8720a342b60318f62320ce20c03871d2e50d3fa3a9a730b84dacdbb8eb4d0ab7a1c8a97215b537826c8dc532c9a55213bcd0c1d13d7d8a9ad824

C:\Users\Admin\AppData\Local\Temp\_MEI26802\win32api.pyd

MD5 fc7b3937aa735000ef549519425ce2c9
SHA1 e51a78b7795446a10ed10bdcab0d924a6073278d
SHA256 a6949ead059c6248969da1007ea7807dcf69a4148c51ea3bc99c15ee0bc4d308
SHA512 8840ff267bf216a0be8e1cae0daac3ff01411f9afc18b1f73ba71be8ba70a873a7e198fd7d5df98f7ca8eee9a94eab196f138a7f9f37d35c51118f81860afb7d

C:\Users\Admin\AppData\Local\Temp\_MEI26802\pywin32_system32\pywintypes310.dll

MD5 bd1ee0e25a364323faa252eee25081b5
SHA1 7dea28e7588142d395f6b8d61c8b46104ff9f090
SHA256 55969e688ad11361b22a5cfee339645f243c3505d2963f0917ac05c91c2d6814
SHA512 d9456b7b45151614c6587cee54d17261a849e7950049c78f2948d93a9c7446b682e553e2d8d094c91926dd9cbaa2499b1687a9128aec38b969e95e43657c7a54

C:\Users\Admin\AppData\Local\Temp\_MEI26802\pywin32_system32\pythoncom310.dll

MD5 020b1a47ce0b55ac69a023ed4b62e3f9
SHA1 aa2a0e793f97ca60a38e92c01825a22936628038
SHA256 863a72a5c93eebaa223834bc6482e5465379a095a3a3b34b0ad44dc7b3666112
SHA512 b131e07de24d90a3c35c6fa2957b4fe72d62b1434c3941ad5140fb1323aacba0ec41732dac4f524dc2f492b98868b54adc97b4200aa03ff2ba17dd60baea5a70

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_ssl.pyd

MD5 9ddb64354ef0b91c6999a4b244a0a011
SHA1 86a9dc5ea931638699eb6d8d03355ad7992d2fee
SHA256 e33b7a4aa5cdd5462ee66830636fdd38048575a43d06eb7e2f688358525ddeab
SHA512 4c86478861fa4220680a94699e7d55fbdc90d2785caee10619cecb058f833292ee7c3d6ac2ed1ef34b38fbff628b79d672194a337701727a54bb6bbc5bf9aeca

C:\Users\Admin\AppData\Local\Temp\_MEI26802\libcrypto-1_1.dll

MD5 6f4b8eb45a965372156086201207c81f
SHA1 8278f9539463f0a45009287f0516098cb7a15406
SHA256 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA512 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

C:\Users\Admin\AppData\Local\Temp\_MEI26802\libssl-1_1.dll

MD5 8769adafca3a6fc6ef26f01fd31afa84
SHA1 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA256 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512 fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

C:\Users\Admin\AppData\Local\Temp\_MEI26802\sqlite3.dll

MD5 aaf9fd98bc2161ad7dff996450173a3b
SHA1 ab634c09b60aa18ea165084a042d917b65d1fe85
SHA256 f1e8b6c4d61ac6a320fa2566da9391fbfd65a5ac34ac2e2013bc37c8b7b41592
SHA512 597ffe3c2f0966ab94fbb7ecac27160c691f4a07332311f6a9baf8dec8b16fb16ec64df734c3bdbabf2c0328699e234d14f1b8bd5ac951782d35ea0c78899e5f

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_uuid.pyd

MD5 041556420bdb334a71765d33229e9945
SHA1 0122316e74ee4ada1ce1e0310b8dca1131972ce1
SHA256 8b3d4767057c18c1c496e138d4843f25e5c98ddfc6a8d1b0ed46fd938ede5bb6
SHA512 18da574b362726ede927d4231cc7f2aebafbaaab47df1e31b233f7eda798253aef4c142bed1a80164464bd629015d387ae97ba36fcd3cedcfe54a5a1e5c5caa3

C:\Users\Admin\AppData\Local\Temp\_MEI26802\unicodedata.pyd

MD5 4c8af8a30813e9380f5f54309325d6b8
SHA1 169a80d8923fb28f89bc26ebf89ffe37f8545c88
SHA256 4b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05
SHA512 ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_cffi_backend.cp310-win_amd64.pyd

MD5 6f1b90884343f717c5dc14f94ef5acea
SHA1 cca1a4dcf7a32bf698e75d58c5f130fb3572e423
SHA256 2093e7e4f5359b38f0819bdef8314fda332a1427f22e09afc416e1edd5910fe1
SHA512 e2c673b75162d3432bab497bad3f5f15a9571910d25f1dffb655755c74457ac78e5311bd5b38d29a91aec4d3ef883ae5c062b9a3255b5800145eb997863a7d73

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_hashlib.pyd

MD5 d856a545a960bf2dca1e2d9be32e5369
SHA1 67a15ecf763cdc2c2aa458a521db8a48d816d91e
SHA256 cd33f823e608d3bda759ad441f583a20fc0198119b5a62a8964f172559acb7d3
SHA512 34a074025c8b28f54c01a7fd44700fdedb391f55be39d578a003edb90732dec793c2b0d16da3da5cdbd8adbaa7b3b83fc8887872e284800e7a8389345a30a6a4

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_sqlite3.pyd

MD5 9f38f603bd8f7559609c4ffa47f23c86
SHA1 8b0136fc2506c1ccef2009db663e4e7006e23c92
SHA256 28090432a18b59eb8cbe8fdcf11a277420b404007f31ca571321488a43b96319
SHA512 273a19f2f609bede9634dae7c47d7b28d369c88420b2b62d42858b1268d6c19b450d83877d2dba241e52755a3f67a87f63fea8e5754831c86d16e2a8f214ad72

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_overlapped.pyd

MD5 02c0f2eff280b9a92003786fded7c440
SHA1 5a7fe7ed605ff1c49036d001ae60305e309c5509
SHA256 f16e595b0a87c32d9abd2035f8ea97b39339548e7c518df16a6cc27ba7733973
SHA512 2b05ddf7bc57e8472e5795e68660d52e843271fd08f2e8002376b056a8c20200d31ffd5e194ce486f8a0928a8486951fdb5670246f1c909f82cf4b0929efedac

C:\Users\Admin\AppData\Local\Temp\_MEI26802\_asyncio.pyd

MD5 4543813a21958d0764975032b09ded7b
SHA1 c571dea89ab89b6aab6da9b88afe78ace90dd882
SHA256 45c229c3988f30580c79b38fc0c19c81e6f7d5778e64cef6ce04dd188a9ccab5
SHA512 3b007ab252cccda210b473ca6e2d4b7fe92c211fb81ade41a5a69c67adde703a9b0bc97990f31dcbe049794c62ba2b70dadf699e83764893a979e95fd6e89d8f

C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_ecb.pyd

MD5 ade53f8427f55435a110f3b5379bdde1
SHA1 90bdafccfab8b47450f8226b675e6a85c5b4fcce
SHA256 55cf117455aa2059367d89e508f5e2ad459545f38d01e8e7b7b0484897408980
SHA512 2856d4c1bbdd8d37c419c5df917a9cc158c79d7f2ee68782c23fb615d719d8fe61aaa1b5f5207f80c31dc381cd6d8c9dabd450dbc0c774ff8e0a95337fda18bd

C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_cbc.pyd

MD5 0d0450292a5cf48171411cc8bfbbf0f7
SHA1 5de70c8bab7003bbd4fdcadb5c0736b9e6d0014c
SHA256 cb3ce4f65c9e18be6cbb504d79b594b51f38916e390dad73de4177fe88ce9c37
SHA512 ba6bbcc394e07fe09bb3a25e4aae9c4286516317d0b71d090b91aaec87fc10f61a4701aa45bc74cb216fff1e4ad881f62eb94d4ee2a3a9c8f04a954221b81d3a

C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_ofb.pyd

MD5 b894480d74efb92a7820f0ec1fc70557
SHA1 07eaf9f40f4fce9babe04f537ff9a4287ec69176
SHA256 cdff737d7239fe4f39d76683d931c970a8550c27c3f7162574f2573aee755952
SHA512 498d31f040599fe3e4cfd9f586fc2fee7a056635e9c8fd995b418d6263d21f1708f891c60be09c08ccf01f7915e276aafb7abb84554280d11b25da4bdf3f3a75

C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_ctr.pyd

MD5 8f385dbacd6c787926ab370c59d8bba2
SHA1 953bad3e9121577fab4187311cb473d237f6cba3
SHA256 ddf0b165c1c4eff98c4ac11e08c7beadcdd8cc76f495980a21df85ba4368762a
SHA512 973b80559f238f6b0a83cd00a2870e909a0d34b3df1e6bb4d47d09395c4503ea8112fb25115232c7658e5de360b258b6612373a96e6a23cde098b60fe5579c1c

C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_cfb.pyd

MD5 0f4d8993f0d2bd829fea19a1074e9ce7
SHA1 4dfe8107d09e4d725bb887dc146b612b19818abf
SHA256 6ca8711c8095bbc475d84f81fc8dfff7cd722ffe98e0c5430631ae067913a11f
SHA512 1e6f4bc9c682654bd18e1fc4bd26b1e3757c9f89dc5d0764b2e6c45db079af184875d7d3039161ea93d375e67f33e4fb48dcb63eae0c4ee3f98f1d2f7002b103

C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Util\_strxor.pyd

MD5 8070eb2be9841525034a508cf16a6fd6
SHA1 84df6bceba52751f22841b1169d7cd090a4bb0c6
SHA256 ee59933eba41bca29b66af9421ba53ffc90223ac88ccd35056503af52a2813fe
SHA512 33c5f4623a2e5afe404056b92556fdbaf2419d7b7728416d3368d760ddfde44a2739f551de26fa443d59294b8726a05a77733fee66abc3547073d85f2d4ebeee

C:\Users\Admin\AppData\Local\Temp\crcook.txt

MD5 155ea3c94a04ceab8bd7480f9205257d
SHA1 b46bbbb64b3df5322dd81613e7fa14426816b1c1
SHA256 445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b
SHA512 3d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dotNetFx40_Full_setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\fa13f525a490c1d506ed20\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\fa13f525a490c1d506ed20\Setup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A
N/A N/A C:\fa13f525a490c1d506ed20\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dotNetFx40_Full_setup.exe C:\fa13f525a490c1d506ed20\Setup.exe
PID 4516 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dotNetFx40_Full_setup.exe C:\fa13f525a490c1d506ed20\Setup.exe
PID 4516 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dotNetFx40_Full_setup.exe C:\fa13f525a490c1d506ed20\Setup.exe
PID 2244 wrote to memory of 3384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 3384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2244 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dotNetFx40_Full_setup.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dotNetFx40_Full_setup.exe"

C:\fa13f525a490c1d506ed20\Setup.exe

C:\fa13f525a490c1d506ed20\\Setup.exe /x86 /x64 /ia64 /web

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd1f183cb8,0x7ffd1f183cc8,0x7ffd1f183cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd1f183cb8,0x7ffd1f183cc8,0x7ffd1f183cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 92.123.128.189:443 www.bing.com tcp
CA 23.227.38.36:443 lttstore.com tcp
CA 23.227.38.36:443 lttstore.com tcp
GB 96.17.179.205:80 apps.identrust.com tcp
CA 23.227.38.74:443 www.lttstore.com tcp
CA 23.227.60.200:443 cdn.shopify.com tcp
CA 23.227.60.200:443 cdn.shopify.com tcp
CA 185.146.173.20:443 fonts.shopifycdn.com tcp
US 104.26.8.198:443 bundle.thimatic-apps.com tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 analytics.tiktok.com udp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 200.60.227.23.in-addr.arpa udp
US 8.8.8.8:53 20.173.146.185.in-addr.arpa udp
GB 163.70.147.23:443 connect.facebook.net tcp
US 151.101.2.133:443 fast.a.klaviyo.com tcp
FR 104.115.83.91:443 analytics.tiktok.com tcp
US 151.101.2.133:443 fast.a.klaviyo.com tcp
US 151.101.2.133:443 fast.a.klaviyo.com tcp
US 151.101.2.133:443 fast.a.klaviyo.com tcp
BE 74.125.206.154:443 stats.g.doubleclick.net tcp
US 151.101.2.133:443 fast.a.klaviyo.com tcp
US 151.101.2.133:443 fast.a.klaviyo.com tcp
CA 23.227.38.33:443 shop.app tcp
GB 104.77.160.212:443 analytics.pangle-ads.com tcp
US 104.26.8.198:443 bundle.thimatic-apps.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 142.250.187.194:443 googleads.g.doubleclick.net tcp
GB 216.58.204.68:443 www.google.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
GB 142.250.187.195:443 www.google.co.uk tcp
CA 23.227.38.74:443 www.lttstore.com tcp
GB 68.70.192.128:443 cdn1.judge.me tcp
US 172.67.209.87:443 app.backinstock.org tcp
BE 74.125.206.154:443 stats.g.doubleclick.net udp
GB 142.250.187.195:443 www.google.co.uk udp
US 34.120.57.242:443 monorail-edge.shopifysvc.com tcp
US 216.239.34.36:443 region1.google-analytics.com tcp
GB 92.123.128.162:443 www.bing.com tcp
GB 23.214.133.66:443 cxcs.microsoft.net tcp
GB 2.18.66.74:443 tcp
GB 2.18.66.74:443 tcp
GB 92.123.128.185:443 r.bing.com tcp
GB 92.123.128.185:443 r.bing.com tcp
GB 92.123.128.185:443 r.bing.com tcp
GB 92.123.128.185:443 r.bing.com tcp
GB 92.123.128.185:443 r.bing.com tcp
GB 92.123.128.185:443 r.bing.com tcp
GB 51.105.71.136:443 browser.pipe.aria.microsoft.com tcp

Files

C:\fa13f525a490c1d506ed20\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

C:\fa13f525a490c1d506ed20\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

C:\fa13f525a490c1d506ed20\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\fa13f525a490c1d506ed20\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFIB027.tmp.html

MD5 0cb782ce8dedc03e97d38741f494deb5
SHA1 275a6d497aee85fd15ba3775c96a7222eb0c08ef
SHA256 b19a6b8c9b9f276ecad430f6cd0b4badb8b48cbab9ae23c843751556eb51725b
SHA512 f423a94728bc9118b0975ef10297df4e33d917c1378b3b19feca52aef6cd207fba02d80a7ed26e898f537277e3824cf36e0c90ff7fcb64a74f33294103a0e812

C:\fa13f525a490c1d506ed20\UiInfo.xml

MD5 8b8b0a935dc591799a0c6d52fdc33460
SHA1 ce2748bd469aad6e90b06d98531084d00611fb89
SHA256 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159
SHA512 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76

C:\fa13f525a490c1d506ed20\ParameterInfo.xml

MD5 7213da83e0f0b8ae4fea44ae1cb7f62b
SHA1 f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3
SHA256 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9
SHA512 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0

C:\fa13f525a490c1d506ed20\1025\LocalizedData.xml

MD5 c5bf74c96a711b3f7004ca6bddecc491
SHA1 4c4d42ff69455f267ce98f1db8f2c5d76a1046da
SHA256 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66
SHA512 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9

C:\fa13f525a490c1d506ed20\1029\LocalizedData.xml

MD5 0b6ed582eb557573e959e37ebe2fca6a
SHA1 82c19c7eafb28593f453341eca225873fb011d4c
SHA256 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc
SHA512 aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759

C:\fa13f525a490c1d506ed20\3082\LocalizedData.xml

MD5 2d54fe70376db0218e8970b28c1c4518
SHA1 83ee9ac93142751f23d5bb858f7264e27ea2eab0
SHA256 d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd
SHA512 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30

C:\fa13f525a490c1d506ed20\3076\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

C:\fa13f525a490c1d506ed20\2070\LocalizedData.xml

MD5 7fa9926a4bc678e32e5d676c39f8fb97
SHA1 bba4311dd30261a9b625046f8a6ea215516c9213
SHA256 a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404
SHA512 e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6

C:\fa13f525a490c1d506ed20\2052\LocalizedData.xml

MD5 10da125eeabcbb45e0a272688b0e2151
SHA1 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93
SHA256 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec
SHA512 d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

C:\fa13f525a490c1d506ed20\1055\LocalizedData.xml

MD5 65e771fed28b924942a10452bbbf5c42
SHA1 586921b92d5fb297f35effc2216342dac1ae2355
SHA256 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2
SHA512 d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7

C:\fa13f525a490c1d506ed20\1053\LocalizedData.xml

MD5 b3b1a89458bec6af82c5386d26639b59
SHA1 d9320b8cc862f40c65668a40670081079b63cea1
SHA256 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0
SHA512 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf

C:\fa13f525a490c1d506ed20\1049\LocalizedData.xml

MD5 349b52a81342a7afb8842459e537ecc6
SHA1 6268343e82fbbabe7618bd873335a8f9f84ed64d
SHA256 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5
SHA512 ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49

C:\fa13f525a490c1d506ed20\1046\LocalizedData.xml

MD5 a03d2063d388fc7a1b4c36d85efa5a1a
SHA1 88bd5e2ff285ee421ccc523f7582e05a8c3323f8
SHA256 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3
SHA512 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

C:\fa13f525a490c1d506ed20\1045\LocalizedData.xml

MD5 bdb583c7a48f811be3b0f01fcea40470
SHA1 e8453946a6b926e4f4ae5b02ba1d648daf23e133
SHA256 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8
SHA512 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d

C:\fa13f525a490c1d506ed20\1044\LocalizedData.xml

MD5 120104fa24709c2a9d8efc84ff0786cd
SHA1 b513fa545efae045864d8527a5ec6b6cebe31bb9
SHA256 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947
SHA512 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325

C:\fa13f525a490c1d506ed20\1043\LocalizedData.xml

MD5 6506b4e64ebf6121997fa227e762589f
SHA1 71bc1478c012d9ec57fc56a5266dd325b7801221
SHA256 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c
SHA512 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2

C:\fa13f525a490c1d506ed20\1042\LocalizedData.xml

MD5 78c16da54542c9ed8fa32fed3efaf10d
SHA1 ad8cfe972c8a418c54230d886e549e00c7e16c40
SHA256 e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1
SHA512 d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf

C:\fa13f525a490c1d506ed20\1041\LocalizedData.xml

MD5 64ffa6ff8866a15aff326f11a892bead
SHA1 378201477564507a481ba06ea1bc0620b6254900
SHA256 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf
SHA512 ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2

C:\fa13f525a490c1d506ed20\1040\LocalizedData.xml

MD5 eda1ec689d45c7faa97da4171b1b7493
SHA1 807fe12689c232ebd8364f48744c82ca278ea9e6
SHA256 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36
SHA512 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c

C:\fa13f525a490c1d506ed20\1038\LocalizedData.xml

MD5 89d4356e0f226e75ca71d48690e8ec15
SHA1 2336caa971527977f47512bc74e88cec3f770c7d
SHA256 fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385
SHA512 fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e

C:\fa13f525a490c1d506ed20\1037\LocalizedData.xml

MD5 16e6416756c1829238ef1814ebf48ad6
SHA1 c9236906317b3d806f419b7a98598dd21e27ad64
SHA256 c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea
SHA512 aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6

C:\fa13f525a490c1d506ed20\1036\LocalizedData.xml

MD5 1dad88faed661db34eef535d36563ee2
SHA1 0525b2f97eddbd26325fddc561bf8a0cda3b0497
SHA256 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6
SHA512 ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc

C:\fa13f525a490c1d506ed20\1035\LocalizedData.xml

MD5 1aa252256c895b806e4e55f3ea8d5ffb
SHA1 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d
SHA256 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f
SHA512 ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63

C:\fa13f525a490c1d506ed20\1032\LocalizedData.xml

MD5 3bf8da35b14fbcc564e03f6342bb71f2
SHA1 8f9139f0bb813bf95f8c437548738d32848d8940
SHA256 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d
SHA512 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03

C:\fa13f525a490c1d506ed20\1031\LocalizedData.xml

MD5 8505219c0a8d950ff07dc699d8208309
SHA1 7a557356c57f1fa6d689ea4c411e727438ac46df
SHA256 c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a
SHA512 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419

C:\fa13f525a490c1d506ed20\1030\LocalizedData.xml

MD5 69925e463a6fedce8c8e1b68404502fb
SHA1 76341e490a432a636ed721f0c964fd9026773dd7
SHA256 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7
SHA512 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220

C:\fa13f525a490c1d506ed20\1033\LocalizedData.xml

MD5 326518603d85acd79a6258886fc85456
SHA1 f1cef14bc4671a132225d22a1385936ad9505348
SHA256 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577
SHA512 f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

C:\fa13f525a490c1d506ed20\SplashScreen.bmp

MD5 0966fcd5a4ab0ddf71f46c01eff3cdd5
SHA1 8f4554f079edad23bcd1096e6501a61cf1f8ec34
SHA256 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3
SHA512 a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

C:\fa13f525a490c1d506ed20\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

C:\fa13f525a490c1d506ed20\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

C:\fa13f525a490c1d506ed20\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

C:\fa13f525a490c1d506ed20\Strings.xml

MD5 8a28b474f4849bee7354ba4c74087cea
SHA1 c17514dfc33dd14f57ff8660eb7b75af9b2b37b0
SHA256 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b
SHA512 a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

memory/1612-267-0x0000000003070000-0x0000000003071000-memory.dmp

C:\fa13f525a490c1d506ed20\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

C:\fa13f525a490c1d506ed20\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

C:\fa13f525a490c1d506ed20\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

C:\fa13f525a490c1d506ed20\graphics\warn.ico

MD5 b2b1d79591fca103959806a4bf27d036
SHA1 481fd13a0b58299c41b3e705cb085c533038caf5
SHA256 fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11
SHA512 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

memory/1612-272-0x0000000003070000-0x0000000003071000-memory.dmp

\??\pipe\LOCAL\crashpad_2384_JKGOTMLUIPLWQHDR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c22f834647f3dcec70abd8f8f555ab1e
SHA1 0bdbc237d01e3465c5038e1553e696238a73fe5e
SHA256 9e6d503798fc59c4d49790b60f5ca106264eb07445aaa487be10bc671bf58d23
SHA512 7f1df17ed61e97748d384b098b6e05d03100032b11618844d7bb4f1581901c80269bf0b1003d2673ca7caab6dfacc01d02e51ce191fd655b45b7961438459b2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1af81afc9793ac587bf5b0eb25f30d1b
SHA1 b6e2e7ffe8b9f9c869954e716fdb5a4c9a3c19f7
SHA256 98c6b3605c3648999d55475e036d8ed199f1c19e8451e1a47b2ea7eb9bbc6036
SHA512 b6f893104fb98fdbd50d386cf6d25c1bb7c7792532576ac1209b0b6fa783e2bea8022d1e25dd8b43a504dac6b479e85eb210a3fd097027b459c37b9403c9f95a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 89703f27d619d69de168b4660698ee2c
SHA1 f1b692bc07e384438ace12a2377813d8e44c66e1
SHA256 8ccc7d2eece5b3cf5aa9efccc97867caaa59c5355731529c55725015fc1a2920
SHA512 f8b7817b092ac7f5c5597570253dce1ea0655a746387a771316fb26b9cc5452cf19eaf4aa10ab1e55526f3357312b1dbb43e57cc8becf0c633ca039f3b71d526

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 208093c34b58a5aa788e60af23f71a98
SHA1 fb0b00c4cecff042ae31f6ef67b2227f4ec8cea3
SHA256 bfd8f2ceeb4405b1d496b3657c914e6818b22a53692cdc5927c8b12649c91c93
SHA512 4991464e37a886ce0a67c8dff37337c7c65c12504e15a673154cf5f5f774e65fc6fb7caadd6c516df2f6dd05383eb58f0afb94c5b6c4b36c96d3791268d95fb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 37066490ab42961d646e76b003fc3b2b
SHA1 7d4b4a4874c127bcb08a0b3d9716294182c71eb3
SHA256 e11a3e3a214352b6cfdd8efa3e8495bbcb562d9fdbdc7722e9e2baab4c70afef
SHA512 0bc10cf89b76143830fa5059f8190fd9a4ee94782ff4cc14fbcb6120f095db9409f453ec8d94e5c594da8acffc514e1c8ac3fb474686197a8e1e99b5ca225aca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3882a83e23358d6bc60a97248fe763af
SHA1 1557ff42a208bf1c0c42eb00b9f43c4d2791ac06
SHA256 bd6fb7133a78865dd9ed73d6458e8b6bf8198eba39f08c08bfd70b9a2e3e53e4
SHA512 7a28d59c33ba2bb0d0c8809dd6b597905a40942fac0e7a0274717860f7b64b7659766d21a3bcc83d453bfa59e2eebaa1c7d89324cf88e15d8124a9de37035004

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e035dbc0cb142dcd0d12060903b55302
SHA1 66aeb427252e77cd3f3ad1e626ab683d7e6c2b9d
SHA256 7ec8d1ab472dccd21fe89a7b3057829c8ae56ea5b6fd26998a51c9a028b57f0e
SHA512 c388446c2cc4df5c77d8632db48d21aa9171cac0dc4c8146a30ac644e431755888123c080c4e77b7aebd0b53db65a5c62596f2a075955268889f6a783ad47cc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d6a886af3bf8c37d9719cc6309c05e0a
SHA1 dca701ba3c618ce11b52172b2a6ab5272e2023d1
SHA256 c19e4a4c32680701645e02473c1240cbdc1f92116c6c3f25dc42e98aa4aa2248
SHA512 0256e1049491c4c1c601c1514de4a936d88a6533fbc985fe7aaab0422a1cf40dfd2b97b33d738c21b351057380f469261f13a80db67ba026b3bdb1c593d653a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 22353fe6a7f676700fe61d988c1fed4d
SHA1 59a4ca00b2ae5fc5c5fc432ec73443ca002bb34a
SHA256 462accdf66add5e2e2dc8afe439b65dae35687715fd0c0e9af31695de540a2f5
SHA512 b4264185d5131390c802a6b8298f1a350006887b356399ea9fc219c0ec08418b02441b9a3211d0daecabbce89f49c4ee725843320e9c53daa6f48e0b83aaf816

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c29d0e8fb7dff1e6f3fcaa7c68d99c4d
SHA1 8137c373542a71ac12e617340bf9d8e9ba1c1173
SHA256 ed86c50df02d68438a1a8704aea4ccd3ac6d354025b587fb246c753ce74b38e9
SHA512 5b3b2c6e3b7a428febdcd7d008a6bfb33ec93101d399c5d7a8bad7cbf72a3c400a39a0bad2cce7ff03d96aeb744a591a379db835b14b4c7d59a0f9e45c9d3490

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d29eee21-7d5f-4016-85a2-556cb9e47cc3.tmp

MD5 439d23c2b076ffda7ff055f77d8a20c4
SHA1 d1d875f38474b7353a19d4c7bed51c192a405845
SHA256 024b65f927de91ae6ad824eff47ecda4a192062636dade6ebecff53b0c6f897f
SHA512 a12494ba9d153377675909e2a982d413ceff95c325fef981a6c0da25941fa96b5e463e6ae70e0d6a20e34fce841e84b05c486c1f70ec5b05889954e3dc84c251

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cfbd4f932208737caf80f68163a296d8
SHA1 bcf79586f0f446c73935f17abb688517a0539f41
SHA256 7137d2de96eec96eb38c3c60a6221f6e1e026384cf335a51e0d135c1c5d0fd4d
SHA512 967fe1cc4e98badbae6f96d9258a08e5393bb7f13befef35cfcfe54bc7f41ce8dd973bd6d46fa4aa0c63d6b7d24f609f7a92cddaf0fb4660b9fb88fe0e71b96d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 06400df31dc4d11772f23cc377266d79
SHA1 0ebfdd068a63a82fbdd6be53d69218e71ef4932f
SHA256 90c88af959a5ec923218cb44cebe8623c72784502aa258cc42eec9377180f262
SHA512 5a45f5c7866f937bb64d00a355d973cb2e3a8fb3e24aa0ea45d4a3f5810614f31c1eb47ab3a57f34c2eed38fa9e01c20be5ac0cfefa04041aeb5528282be40c7

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:01

Platform

win11-20231215-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231222-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe

"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe"

C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe

"C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe" -burn.filehandle.attached=552 -burn.filehandle.self=576

Network

Files

C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe

MD5 2f9d2b6ce54f9095695b53d1aa217c7b
SHA1 3f54934c240f1955301811d2c399728a3e6d1272
SHA256 0009d3f27837c3af3f6fff7973faf07afaa4b53119846f55b6f2a79f1759c757
SHA512 692857f960f26039c7b0af6329e65a71e8588ff71eaac6b956bd6e437994a8d5a470c7e75dd776e0772e473967b64d5ea0e1d8396546691316daf4d6b8ccc237

C:\Windows\Temp\{ABF39DFD-B94D-4439-A2C8-9641877CDFB1}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{ABF39DFD-B94D-4439-A2C8-9641877CDFB1}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral17

Detonation Overview

Submitted

2024-01-23 11:58

Reported

2024-01-23 12:03

Platform

win11-20231215-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\WinPixEventRuntime.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\WinPixEventRuntime.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 167.166.122.92.in-addr.arpa udp

Files

N/A