Analysis Overview
SHA256
355bb7cd13e2b17a20c4956af0f402c107a186e95ad82864913b1849cc044939
Threat Level: Known bad
The file funni game.rar was found to be: Known bad.
Malicious Activity Summary
Crealstealer family
An infostealer written in Python and packaged with PyInstaller.
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Drops startup file
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Blocklisted process makes network request
Looks up external IP address via web service
Adds Run key to start application
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Detects Pyinstaller
Enumerates processes with tasklist
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 11:59
Signatures
An infostealer written in Python and packaged with PyInstaller.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Crealstealer family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\4.5\DefaultWsdlHelpGenerator.js"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\funni game\money\UnityCrashHandler64.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\money\UnityCrashHandler64.exe"
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
85s
Max time network
90s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\UnityPlayer.dll",#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231222-en
Max time kernel
84s
Max time network
91s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 4348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 4348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 4348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\VclStylesinno.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\VclStylesinno.dll",#1
Network
Files
memory/4348-0-0x0000000002670000-0x000000000298A000-memory.dmp
memory/4348-2-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-1-0x00000000029A0000-0x00000000029A1000-memory.dmp
memory/4348-3-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-4-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/4348-5-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-6-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-7-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/4348-9-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-8-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-11-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-10-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/4348-12-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-13-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/4348-14-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-15-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-16-0x00000000029F0000-0x00000000029F1000-memory.dmp
memory/4348-20-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-19-0x0000000002A00000-0x0000000002A01000-memory.dmp
memory/4348-21-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-17-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-18-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-22-0x0000000002A10000-0x0000000002A11000-memory.dmp
memory/4348-23-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-24-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-26-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-27-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-29-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-30-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-32-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-33-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-34-0x0000000002A50000-0x0000000002A51000-memory.dmp
memory/4348-31-0x0000000002A40000-0x0000000002A41000-memory.dmp
memory/4348-38-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-42-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-46-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
memory/4348-49-0x0000000002CF0000-0x0000000002CF1000-memory.dmp
memory/4348-48-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-51-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-50-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-52-0x0000000002D00000-0x0000000002D01000-memory.dmp
memory/4348-47-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-45-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-43-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/4348-44-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-41-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-56-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-57-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-55-0x0000000002D40000-0x0000000002D41000-memory.dmp
memory/4348-54-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-53-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-60-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-59-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-58-0x0000000002E50000-0x0000000002E51000-memory.dmp
memory/4348-39-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-40-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/4348-37-0x0000000002A60000-0x0000000002A61000-memory.dmp
memory/4348-36-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-35-0x0000000002AA0000-0x0000000002BE0000-memory.dmp
memory/4348-28-0x0000000002A30000-0x0000000002A31000-memory.dmp
memory/4348-25-0x0000000002A20000-0x0000000002A21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET9CAD.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET9CAD.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET9CAE.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET9CAE.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DirectX.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 408 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
| PID 408 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
| PID 408 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | eaa6b5ee297982a6a396354814006761 |
| SHA1 | 780bf9a61c080a335e8712c5544fcbf9c7bdcd72 |
| SHA256 | d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee |
| SHA512 | ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
| MD5 | ad8982eaa02c7ad4d7cdcbc248caa941 |
| SHA1 | 4ccd8e038d73a5361d754c7598ed238fc040d16b |
| SHA256 | d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00 |
| SHA512 | 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
| MD5 | 0a23038ea472ffc938366ef4099d6635 |
| SHA1 | 6499d741776dc4a446c22ea11085842155b34176 |
| SHA256 | 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a |
| SHA512 | dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88 |
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
| MD5 | 7672509436485121135c2a0e30b9e9ff |
| SHA1 | f557022a9f42fe1303078093e389f21fb693c959 |
| SHA256 | d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea |
| SHA512 | e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
87s
Max time network
91s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe | N/A |
Checks installed software on the system
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1968 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe | C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe |
| PID 1968 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe | C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe |
| PID 1968 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe | C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe"
C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe
"C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Windows\Temp\{1ACD4A0F-8CBD-4963-9E52-DE61D83CB5A0}\.cr\vcredist_2015-2019_x64.exe
| MD5 | 843288fd72a1152b50b4e4b7344bb592 |
| SHA1 | 648416c53721a85666abaf71c6682fcc1da70b48 |
| SHA256 | 82c3e3423e48bafcdd726624eb7fd3e00674e50e4b6acdcac408fe8fae43b022 |
| SHA512 | 04b61bb0a6e748ab78b1037db68bc9ec1745bb3efaca0b8fb6d99e01abbe08a67168cbf3f714b72daf00da26084ec6f6f707c3cd08fa8243023e6924719a4e41 |
C:\Windows\Temp\{1EE2A48F-F1C9-4584-9914-9051FB7593CC}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{1EE2A48F-F1C9-4584-9914-9051FB7593CC}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral7
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231222-en
Max time kernel
85s
Max time network
88s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
| N/A | N/A | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5092 wrote to memory of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x86.exe | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe |
| PID 5092 wrote to memory of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x86.exe | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe |
| PID 5092 wrote to memory of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x86.exe | \??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x86.exe"
\??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe
c:\8fb80513af922e55f42912d619e0505e\Setup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
\??\c:\8fb80513af922e55f42912d619e0505e\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
\??\c:\8fb80513af922e55f42912d619e0505e\SetupEngine.dll
| MD5 | 2ce89b538356e670e62750b1f33bd0ac |
| SHA1 | 7d3617a83245b67330d989419fb34a77273cd4ea |
| SHA256 | 751321dc3254ead521ec8c09a6ca8ef2003b4b39e2d0c65227c6054cd19c5638 |
| SHA512 | 9604e55920c3977e0dcdeae81ba3107fe8cce9b07eae5dee799d993029ea00fad16f6c3c71ea20d886fd3e28c5bdc54a4125286a9b28d3a2566ddb7325519f38 |
C:\8fb80513af922e55f42912d619e0505e\sqmapi.dll
| MD5 | 522539538d30c7c65b7fb630e1e0d253 |
| SHA1 | 2a24277b3a5bb0a23b22f5d2bb2960c908caa981 |
| SHA256 | 1b6348f49c67b76f5ed1ba110e7dba1e4c8978ef44eb83752a09a0b7d7db8529 |
| SHA512 | 4d9d89cfcf669afb7773b43a80d4fad62ad5f578ddffd1f40774fc083174a0a1f689a8e764b73a072630e92436ed8721d895c1c2a087d7e463aff14946a4f5c3 |
\??\c:\8fb80513af922e55f42912d619e0505e\sqmapi.dll
| MD5 | c4ac0aa1013c5f3a2a98c0e43b78a31b |
| SHA1 | 77fb9510e43e2751b043a6ddd95c10e5fd4274d6 |
| SHA256 | 55a44e4943d0264aae6723be94ebefab3be2e2964582f16c4ffc54bdf49cc54f |
| SHA512 | 01b2a944d7e3b35036ec992a5d5a709c865d0ee7ad2a50cd53f3e15c257d405d6349078a097d50a240c76fa08d594a43e31dca48a5b134d733006c750f2dcb4d |
C:\8fb80513af922e55f42912d619e0505e\SetupEngine.dll
| MD5 | 60c6c41c760ffed24b2b38c79233e2df |
| SHA1 | 619b83ccf7a2d1c3fb8f7e4ac848e782cbaac5b1 |
| SHA256 | 499817ea9bd1485a724a8237af10273048d176080e4ecb2ae751a42747a8a734 |
| SHA512 | 95250841e0ac1d1618997edd681318893501f5f3a3b376f81e612395e972fbf42e53e1f0114cd0bd9060d84e1ff07c0a41c20c708cdc0bc6772d77259f9ff373 |
C:\Users\Admin\AppData\Local\Temp\Setup_20240123_120122165.html
| MD5 | 80ec1f4bdacdf4a790163d4984651946 |
| SHA1 | 5f39ab048a650dcf732f8976852c7eb53c83777a |
| SHA256 | 263a98685d9bbc8dd6e838880a7767aef6edb97701430294ffd498646c45bedf |
| SHA512 | dd65367ba14edc41fa775ac604d76b8e627617e59eb8253dbdcb239c55c2950ac67b46cf4dd9561462a7f12d2c956b62529da35774e0057cb4be7f8ea0b58c5d |
\??\c:\8fb80513af922e55f42912d619e0505e\DHTMLHeader.html
| MD5 | 2f7c8f1228b8d6ae5674a5fc71f0eceb |
| SHA1 | bf579f712fc4a92bfffb095dc47592d3d44b5cf5 |
| SHA256 | 54693db0f0b9f0e64b1a40eaf31f6f661026ee4140c89b5610fcb850d9c3ac4d |
| SHA512 | d5718f942e3165acd1cc7b27c9bcc46afb1115ab59d80aa3c0f16c17fd56acbd6296d8cd6e3f66e171497f5701e055148a4e7abcbe888ebccb5a7562ce60414a |
\??\c:\8fb80513af922e55f42912d619e0505e\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\??\c:\8fb80513af922e55f42912d619e0505e\ParameterInfo.xml
| MD5 | 66590f13f4c9ba563a9180bdf25a5b80 |
| SHA1 | d6d9146faeec7824b8a09dd6978e5921cc151906 |
| SHA256 | bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f |
| SHA512 | aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3 |
\??\c:\8fb80513af922e55f42912d619e0505e\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\8fb80513af922e55f42912d619e0505e\UiInfo.xml
| MD5 | 812f8d2e53f076366fa3a214bb4cf558 |
| SHA1 | 35ae734cfb99bb139906b5f4e8efbf950762f6f0 |
| SHA256 | 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283 |
| SHA512 | 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23 |
\??\c:\8fb80513af922e55f42912d619e0505e\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\8fb80513af922e55f42912d619e0505e\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\8fb80513af922e55f42912d619e0505e\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\8fb80513af922e55f42912d619e0505e\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\8fb80513af922e55f42912d619e0505e\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\8fb80513af922e55f42912d619e0505e\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\8fb80513af922e55f42912d619e0505e\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\8fb80513af922e55f42912d619e0505e\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\8fb80513af922e55f42912d619e0505e\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\8fb80513af922e55f42912d619e0505e\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
C:\8fb80513af922e55f42912d619e0505e\1033\SetupResources.dll
| MD5 | 9547d24ac04b4d0d1dbf84f74f54faf7 |
| SHA1 | 71af6001c931c3de7c98ddc337d89ab133fe48bb |
| SHA256 | 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34 |
| SHA512 | 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f |
\??\c:\8fb80513af922e55f42912d619e0505e\SetupUi.dll
| MD5 | eb881e3dddc84b20bd92abcec444455f |
| SHA1 | e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1 |
| SHA256 | 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7 |
| SHA512 | 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75 |
memory/3368-97-0x0000000001390000-0x0000000001391000-memory.dmp
\??\c:\8fb80513af922e55f42912d619e0505e\graphics\stop.ico
| MD5 | 5dfa8d3abcf4962d9ec41cfc7c0f75e3 |
| SHA1 | 4196b0878c6c66b6fa260ab765a0e79f7aec0d24 |
| SHA256 | b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793 |
| SHA512 | 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a |
\??\c:\8fb80513af922e55f42912d619e0505e\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\8fb80513af922e55f42912d619e0505e\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\8fb80513af922e55f42912d619e0505e\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
memory/3368-102-0x0000000001390000-0x0000000001391000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
81s
Max time network
89s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\2.0\DefaultWsdlHelpGenerator.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
84s
Max time network
89s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
| N/A | N/A | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3140 wrote to memory of 3728 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x64.exe | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe |
| PID 3140 wrote to memory of 3728 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x64.exe | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe |
| PID 3140 wrote to memory of 3728 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x64.exe | \??\c:\2a4cb7d2edb3d89c624551\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_x64.exe"
\??\c:\2a4cb7d2edb3d89c624551\Setup.exe
c:\2a4cb7d2edb3d89c624551\Setup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\2a4cb7d2edb3d89c624551\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
\??\c:\2a4cb7d2edb3d89c624551\SetupEngine.dll
| MD5 | 84c1daf5f30ff99895ecab3a55354bcf |
| SHA1 | 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a |
| SHA256 | 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd |
| SHA512 | e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3 |
\??\c:\2a4cb7d2edb3d89c624551\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
C:\Users\Admin\AppData\Local\Temp\Setup_20240123_120123395.html
| MD5 | 3d12d0b3ea908a6c067291db4acc9a60 |
| SHA1 | b9ecff5601fcbfe2baf63f0bd1c5945786f6dd16 |
| SHA256 | 71e5ba74a5d40fd0e36ba0feb74d98d6d5952793ba70c21a1340f210975ff684 |
| SHA512 | 514adb5ecf5d2a91d2710760a114f3b3345b62613ff51143f060e2c700e6fa93486d255a8f58868ee3dbc9f1570b02bb94886f4923b41a98926d445f2b046535 |
\??\c:\2a4cb7d2edb3d89c624551\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
\??\c:\2a4cb7d2edb3d89c624551\UiInfo.xml
| MD5 | 812f8d2e53f076366fa3a214bb4cf558 |
| SHA1 | 35ae734cfb99bb139906b5f4e8efbf950762f6f0 |
| SHA256 | 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283 |
| SHA512 | 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23 |
\??\c:\2a4cb7d2edb3d89c624551\ParameterInfo.xml
| MD5 | 03e01a43300d94a371458e14d5e41781 |
| SHA1 | c5ac3cd50fae588ff1c258edae864040a200653c |
| SHA256 | 19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a |
| SHA512 | e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb |
\??\c:\2a4cb7d2edb3d89c624551\1041\LocalizedData.xml
| MD5 | 6f86b79dbf15e810331df2ca77f1043a |
| SHA1 | 875ed8498c21f396cc96b638911c23858ece5b88 |
| SHA256 | f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f |
| SHA512 | ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818 |
\??\c:\2a4cb7d2edb3d89c624551\1040\LocalizedData.xml
| MD5 | fe6b23186c2d77f7612bf7b1018a9b2a |
| SHA1 | 1528ec7633e998f040d2d4c37ac8a7dc87f99817 |
| SHA256 | 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a |
| SHA512 | 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649 |
\??\c:\2a4cb7d2edb3d89c624551\1036\LocalizedData.xml
| MD5 | 4ce519f7e9754ec03768edeedaeed926 |
| SHA1 | 213ae458992bf2c5a255991441653c5141f41b89 |
| SHA256 | bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31 |
| SHA512 | 8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510 |
\??\c:\2a4cb7d2edb3d89c624551\1031\LocalizedData.xml
| MD5 | b13ff959adc5c3e9c4ba4c4a76244464 |
| SHA1 | 4df793626f41b92a5bc7c54757658ce30fdaeeb1 |
| SHA256 | 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b |
| SHA512 | de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6 |
\??\c:\2a4cb7d2edb3d89c624551\1028\LocalizedData.xml
| MD5 | 12df3535e4c4ef95a8cb03fd509b5874 |
| SHA1 | 90b1f87ba02c1c89c159ebf0e1e700892b85dc39 |
| SHA256 | 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119 |
| SHA512 | c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808 |
\??\c:\2a4cb7d2edb3d89c624551\1033\LocalizedData.xml
| MD5 | 5486ff60b072102ee3231fd743b290a1 |
| SHA1 | d8d8a1d6bf6adf1095158b3c9b0a296a037632d0 |
| SHA256 | 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706 |
| SHA512 | ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472 |
\??\c:\2a4cb7d2edb3d89c624551\3082\LocalizedData.xml
| MD5 | 05a95593c61c744759e52caf5e13502e |
| SHA1 | 0054833d8a7a395a832e4c188c4d012301dd4090 |
| SHA256 | 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1 |
| SHA512 | 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3 |
\??\c:\2a4cb7d2edb3d89c624551\2052\LocalizedData.xml
| MD5 | 150b5c3d1b452dccbe8f1313fda1b18c |
| SHA1 | 7128b6b9e84d69c415808f1d325dd969b17914cc |
| SHA256 | 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2 |
| SHA512 | a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949 |
\??\c:\2a4cb7d2edb3d89c624551\1049\LocalizedData.xml
| MD5 | 1290be72ed991a3a800a6b2a124073b2 |
| SHA1 | dac09f9f2ccb3b273893b653f822e3dfc556d498 |
| SHA256 | 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c |
| SHA512 | c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217 |
\??\c:\2a4cb7d2edb3d89c624551\1042\LocalizedData.xml
| MD5 | e87ad0b3bf73f3e76500f28e195f7dc0 |
| SHA1 | 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc |
| SHA256 | 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070 |
| SHA512 | d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c |
\??\c:\2a4cb7d2edb3d89c624551\SetupUi.dll
| MD5 | eb881e3dddc84b20bd92abcec444455f |
| SHA1 | e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1 |
| SHA256 | 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7 |
| SHA512 | 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75 |
C:\2a4cb7d2edb3d89c624551\1033\SetupResources.dll
| MD5 | 9547d24ac04b4d0d1dbf84f74f54faf7 |
| SHA1 | 71af6001c931c3de7c98ddc337d89ab133fe48bb |
| SHA256 | 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34 |
| SHA512 | 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f |
\??\c:\2a4cb7d2edb3d89c624551\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\2a4cb7d2edb3d89c624551\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
memory/3728-97-0x0000000002400000-0x0000000002401000-memory.dmp
\??\c:\2a4cb7d2edb3d89c624551\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\2a4cb7d2edb3d89c624551\graphics\stop.ico
| MD5 | 5dfa8d3abcf4962d9ec41cfc7c0f75e3 |
| SHA1 | 4196b0878c6c66b6fa260ab765a0e79f7aec0d24 |
| SHA256 | b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793 |
| SHA512 | 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a |
\??\c:\2a4cb7d2edb3d89c624551\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\2a4cb7d2edb3d89c624551\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
memory/3728-102-0x0000000002400000-0x0000000002401000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
83s
Max time network
88s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\EmbedRuntime\MonoPosixHelper.dll",#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
80s
Max time network
89s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\etc\mono\4.0\DefaultWsdlHelpGenerator.js"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
85s
Max time network
125s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\xnafx40_redist.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
83s
Max time network
91s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\MonoBleedingEdge\EmbedRuntime\mono-2.0-bdwgc.dll",#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
83s
Max time network
90s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\good game.exe | C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe"
C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\money\good game.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.38.43.18:443 | api.gofile.io | tcp |
| US | 104.237.62.211:443 | api.ipify.org | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 104.237.62.211:443 | api.ipify.org | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| FR | 51.38.43.18:443 | api.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 104.237.62.211:443 | api.ipify.org | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 104.237.62.211:443 | api.ipify.org | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI26802\python310.dll
| MD5 | deaf0c0cc3369363b800d2e8e756a402 |
| SHA1 | 3085778735dd8badad4e39df688139f4eed5f954 |
| SHA256 | 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d |
| SHA512 | 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\base_library.zip
| MD5 | 611bc2d1220129c5b6ca0e950606f908 |
| SHA1 | ab21abfd2a51f96f24b250bf1775d323d27213a1 |
| SHA256 | 2c5c35f0804612cd74a5c8375ef5d808cc72dd10313d19aabe6f9750fd9be6d7 |
| SHA512 | 88a9530b2cc828401a0a1816e1364160c798fdcec9b0bee3bf49bd8e44e43961e3aed269afe52349f1bee00f620793db0dafbaff2adaf0b4143eca0309fb8f4e |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_ctypes.pyd
| MD5 | ca4cef051737b0e4e56b7d597238df94 |
| SHA1 | 583df3f7ecade0252fdff608eb969439956f5c4a |
| SHA256 | e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b |
| SHA512 | 17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\python3.DLL
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_lzma.pyd
| MD5 | 0a94c9f3d7728cf96326db3ab3646d40 |
| SHA1 | 8081df1dca4a8520604e134672c4be79eb202d14 |
| SHA256 | 0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31 |
| SHA512 | 6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_bz2.pyd
| MD5 | bbe89cf70b64f38c67b7bf23c0ea8a48 |
| SHA1 | 44577016e9c7b463a79b966b67c3ecc868957470 |
| SHA256 | 775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723 |
| SHA512 | 3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_socket.pyd
| MD5 | 0f5e64e33f4d328ef11357635707d154 |
| SHA1 | 8b6dcb4b9952b362f739a3f16ae96c44bea94a0e |
| SHA256 | 8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe |
| SHA512 | 4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\select.pyd
| MD5 | c119811a40667dca93dfe6faa418f47a |
| SHA1 | 113e792b7dcec4366fc273e80b1fc404c309074c |
| SHA256 | 8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7 |
| SHA512 | 107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\pyexpat.pyd
| MD5 | 43e5a1470c298ba773ac9fcf5d99e8f9 |
| SHA1 | 06db03daf3194c9e492b2f406b38ed33a8c87ab3 |
| SHA256 | 56984d43be27422d31d8ece87d0abda2c0662ea2ff22af755e49e3462a5f8b65 |
| SHA512 | a5a1ebb34091ea17c8f0e7748004558d13807fdc16529bc6f8f6c6a3a586ee997bf72333590dc451d78d9812ef8adfa7deabab6c614fce537f56fa38ce669cfc |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_queue.pyd
| MD5 | 52d0a6009d3de40f4fa6ec61db98c45c |
| SHA1 | 5083a2aff5bcce07c80409646347c63d2a87bd25 |
| SHA256 | 007bcf19d9b036a7e73f5ef31f39bfb1910f72c9c10e4a1b0658352cfe7a8b75 |
| SHA512 | cd552a38efaa8720a342b60318f62320ce20c03871d2e50d3fa3a9a730b84dacdbb8eb4d0ab7a1c8a97215b537826c8dc532c9a55213bcd0c1d13d7d8a9ad824 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\win32api.pyd
| MD5 | fc7b3937aa735000ef549519425ce2c9 |
| SHA1 | e51a78b7795446a10ed10bdcab0d924a6073278d |
| SHA256 | a6949ead059c6248969da1007ea7807dcf69a4148c51ea3bc99c15ee0bc4d308 |
| SHA512 | 8840ff267bf216a0be8e1cae0daac3ff01411f9afc18b1f73ba71be8ba70a873a7e198fd7d5df98f7ca8eee9a94eab196f138a7f9f37d35c51118f81860afb7d |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\pywin32_system32\pywintypes310.dll
| MD5 | bd1ee0e25a364323faa252eee25081b5 |
| SHA1 | 7dea28e7588142d395f6b8d61c8b46104ff9f090 |
| SHA256 | 55969e688ad11361b22a5cfee339645f243c3505d2963f0917ac05c91c2d6814 |
| SHA512 | d9456b7b45151614c6587cee54d17261a849e7950049c78f2948d93a9c7446b682e553e2d8d094c91926dd9cbaa2499b1687a9128aec38b969e95e43657c7a54 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\pywin32_system32\pythoncom310.dll
| MD5 | 020b1a47ce0b55ac69a023ed4b62e3f9 |
| SHA1 | aa2a0e793f97ca60a38e92c01825a22936628038 |
| SHA256 | 863a72a5c93eebaa223834bc6482e5465379a095a3a3b34b0ad44dc7b3666112 |
| SHA512 | b131e07de24d90a3c35c6fa2957b4fe72d62b1434c3941ad5140fb1323aacba0ec41732dac4f524dc2f492b98868b54adc97b4200aa03ff2ba17dd60baea5a70 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_ssl.pyd
| MD5 | 9ddb64354ef0b91c6999a4b244a0a011 |
| SHA1 | 86a9dc5ea931638699eb6d8d03355ad7992d2fee |
| SHA256 | e33b7a4aa5cdd5462ee66830636fdd38048575a43d06eb7e2f688358525ddeab |
| SHA512 | 4c86478861fa4220680a94699e7d55fbdc90d2785caee10619cecb058f833292ee7c3d6ac2ed1ef34b38fbff628b79d672194a337701727a54bb6bbc5bf9aeca |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\libcrypto-1_1.dll
| MD5 | 6f4b8eb45a965372156086201207c81f |
| SHA1 | 8278f9539463f0a45009287f0516098cb7a15406 |
| SHA256 | 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541 |
| SHA512 | 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\libssl-1_1.dll
| MD5 | 8769adafca3a6fc6ef26f01fd31afa84 |
| SHA1 | 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6 |
| SHA256 | 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071 |
| SHA512 | fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\sqlite3.dll
| MD5 | aaf9fd98bc2161ad7dff996450173a3b |
| SHA1 | ab634c09b60aa18ea165084a042d917b65d1fe85 |
| SHA256 | f1e8b6c4d61ac6a320fa2566da9391fbfd65a5ac34ac2e2013bc37c8b7b41592 |
| SHA512 | 597ffe3c2f0966ab94fbb7ecac27160c691f4a07332311f6a9baf8dec8b16fb16ec64df734c3bdbabf2c0328699e234d14f1b8bd5ac951782d35ea0c78899e5f |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_uuid.pyd
| MD5 | 041556420bdb334a71765d33229e9945 |
| SHA1 | 0122316e74ee4ada1ce1e0310b8dca1131972ce1 |
| SHA256 | 8b3d4767057c18c1c496e138d4843f25e5c98ddfc6a8d1b0ed46fd938ede5bb6 |
| SHA512 | 18da574b362726ede927d4231cc7f2aebafbaaab47df1e31b233f7eda798253aef4c142bed1a80164464bd629015d387ae97ba36fcd3cedcfe54a5a1e5c5caa3 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\unicodedata.pyd
| MD5 | 4c8af8a30813e9380f5f54309325d6b8 |
| SHA1 | 169a80d8923fb28f89bc26ebf89ffe37f8545c88 |
| SHA256 | 4b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05 |
| SHA512 | ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_cffi_backend.cp310-win_amd64.pyd
| MD5 | 6f1b90884343f717c5dc14f94ef5acea |
| SHA1 | cca1a4dcf7a32bf698e75d58c5f130fb3572e423 |
| SHA256 | 2093e7e4f5359b38f0819bdef8314fda332a1427f22e09afc416e1edd5910fe1 |
| SHA512 | e2c673b75162d3432bab497bad3f5f15a9571910d25f1dffb655755c74457ac78e5311bd5b38d29a91aec4d3ef883ae5c062b9a3255b5800145eb997863a7d73 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_hashlib.pyd
| MD5 | d856a545a960bf2dca1e2d9be32e5369 |
| SHA1 | 67a15ecf763cdc2c2aa458a521db8a48d816d91e |
| SHA256 | cd33f823e608d3bda759ad441f583a20fc0198119b5a62a8964f172559acb7d3 |
| SHA512 | 34a074025c8b28f54c01a7fd44700fdedb391f55be39d578a003edb90732dec793c2b0d16da3da5cdbd8adbaa7b3b83fc8887872e284800e7a8389345a30a6a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_sqlite3.pyd
| MD5 | 9f38f603bd8f7559609c4ffa47f23c86 |
| SHA1 | 8b0136fc2506c1ccef2009db663e4e7006e23c92 |
| SHA256 | 28090432a18b59eb8cbe8fdcf11a277420b404007f31ca571321488a43b96319 |
| SHA512 | 273a19f2f609bede9634dae7c47d7b28d369c88420b2b62d42858b1268d6c19b450d83877d2dba241e52755a3f67a87f63fea8e5754831c86d16e2a8f214ad72 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_overlapped.pyd
| MD5 | 02c0f2eff280b9a92003786fded7c440 |
| SHA1 | 5a7fe7ed605ff1c49036d001ae60305e309c5509 |
| SHA256 | f16e595b0a87c32d9abd2035f8ea97b39339548e7c518df16a6cc27ba7733973 |
| SHA512 | 2b05ddf7bc57e8472e5795e68660d52e843271fd08f2e8002376b056a8c20200d31ffd5e194ce486f8a0928a8486951fdb5670246f1c909f82cf4b0929efedac |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\_asyncio.pyd
| MD5 | 4543813a21958d0764975032b09ded7b |
| SHA1 | c571dea89ab89b6aab6da9b88afe78ace90dd882 |
| SHA256 | 45c229c3988f30580c79b38fc0c19c81e6f7d5778e64cef6ce04dd188a9ccab5 |
| SHA512 | 3b007ab252cccda210b473ca6e2d4b7fe92c211fb81ade41a5a69c67adde703a9b0bc97990f31dcbe049794c62ba2b70dadf699e83764893a979e95fd6e89d8f |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_ecb.pyd
| MD5 | ade53f8427f55435a110f3b5379bdde1 |
| SHA1 | 90bdafccfab8b47450f8226b675e6a85c5b4fcce |
| SHA256 | 55cf117455aa2059367d89e508f5e2ad459545f38d01e8e7b7b0484897408980 |
| SHA512 | 2856d4c1bbdd8d37c419c5df917a9cc158c79d7f2ee68782c23fb615d719d8fe61aaa1b5f5207f80c31dc381cd6d8c9dabd450dbc0c774ff8e0a95337fda18bd |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0d0450292a5cf48171411cc8bfbbf0f7 |
| SHA1 | 5de70c8bab7003bbd4fdcadb5c0736b9e6d0014c |
| SHA256 | cb3ce4f65c9e18be6cbb504d79b594b51f38916e390dad73de4177fe88ce9c37 |
| SHA512 | ba6bbcc394e07fe09bb3a25e4aae9c4286516317d0b71d090b91aaec87fc10f61a4701aa45bc74cb216fff1e4ad881f62eb94d4ee2a3a9c8f04a954221b81d3a |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_ofb.pyd
| MD5 | b894480d74efb92a7820f0ec1fc70557 |
| SHA1 | 07eaf9f40f4fce9babe04f537ff9a4287ec69176 |
| SHA256 | cdff737d7239fe4f39d76683d931c970a8550c27c3f7162574f2573aee755952 |
| SHA512 | 498d31f040599fe3e4cfd9f586fc2fee7a056635e9c8fd995b418d6263d21f1708f891c60be09c08ccf01f7915e276aafb7abb84554280d11b25da4bdf3f3a75 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_ctr.pyd
| MD5 | 8f385dbacd6c787926ab370c59d8bba2 |
| SHA1 | 953bad3e9121577fab4187311cb473d237f6cba3 |
| SHA256 | ddf0b165c1c4eff98c4ac11e08c7beadcdd8cc76f495980a21df85ba4368762a |
| SHA512 | 973b80559f238f6b0a83cd00a2870e909a0d34b3df1e6bb4d47d09395c4503ea8112fb25115232c7658e5de360b258b6612373a96e6a23cde098b60fe5579c1c |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 0f4d8993f0d2bd829fea19a1074e9ce7 |
| SHA1 | 4dfe8107d09e4d725bb887dc146b612b19818abf |
| SHA256 | 6ca8711c8095bbc475d84f81fc8dfff7cd722ffe98e0c5430631ae067913a11f |
| SHA512 | 1e6f4bc9c682654bd18e1fc4bd26b1e3757c9f89dc5d0764b2e6c45db079af184875d7d3039161ea93d375e67f33e4fb48dcb63eae0c4ee3f98f1d2f7002b103 |
C:\Users\Admin\AppData\Local\Temp\_MEI26802\Crypto\Util\_strxor.pyd
| MD5 | 8070eb2be9841525034a508cf16a6fd6 |
| SHA1 | 84df6bceba52751f22841b1169d7cd090a4bb0c6 |
| SHA256 | ee59933eba41bca29b66af9421ba53ffc90223ac88ccd35056503af52a2813fe |
| SHA512 | 33c5f4623a2e5afe404056b92556fdbaf2419d7b7728416d3368d760ddfde44a2739f551de26fa443d59294b8726a05a77733fee66abc3547073d85f2d4ebeee |
C:\Users\Admin\AppData\Local\Temp\crcook.txt
| MD5 | 155ea3c94a04ceab8bd7480f9205257d |
| SHA1 | b46bbbb64b3df5322dd81613e7fa14426816b1c1 |
| SHA256 | 445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b |
| SHA512 | 3d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
141s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\fa13f525a490c1d506ed20\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\fa13f525a490c1d506ed20\Setup.exe | N/A |
| N/A | N/A | C:\fa13f525a490c1d506ed20\Setup.exe | N/A |
| N/A | N/A | C:\fa13f525a490c1d506ed20\Setup.exe | N/A |
| N/A | N/A | C:\fa13f525a490c1d506ed20\Setup.exe | N/A |
| N/A | N/A | C:\fa13f525a490c1d506ed20\Setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\fa13f525a490c1d506ed20\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\fa13f525a490c1d506ed20\Setup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dotNetFx40_Full_setup.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\dotNetFx40_Full_setup.exe"
C:\fa13f525a490c1d506ed20\Setup.exe
C:\fa13f525a490c1d506ed20\\Setup.exe /x86 /x64 /ia64 /web
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd1f183cb8,0x7ffd1f183cc8,0x7ffd1f183cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12688336961737105357,733142487175345818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd1f183cb8,0x7ffd1f183cc8,0x7ffd1f183cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,15449756523335602673,17359191346718397648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 92.123.128.189:443 | www.bing.com | tcp |
| CA | 23.227.38.36:443 | lttstore.com | tcp |
| CA | 23.227.38.36:443 | lttstore.com | tcp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| CA | 23.227.38.74:443 | www.lttstore.com | tcp |
| CA | 23.227.60.200:443 | cdn.shopify.com | tcp |
| CA | 23.227.60.200:443 | cdn.shopify.com | tcp |
| CA | 185.146.173.20:443 | fonts.shopifycdn.com | tcp |
| US | 104.26.8.198:443 | bundle.thimatic-apps.com | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | analytics.tiktok.com | udp |
| US | 8.8.8.8:53 | 205.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.38.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.60.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.173.146.185.in-addr.arpa | udp |
| GB | 163.70.147.23:443 | connect.facebook.net | tcp |
| US | 151.101.2.133:443 | fast.a.klaviyo.com | tcp |
| FR | 104.115.83.91:443 | analytics.tiktok.com | tcp |
| US | 151.101.2.133:443 | fast.a.klaviyo.com | tcp |
| US | 151.101.2.133:443 | fast.a.klaviyo.com | tcp |
| US | 151.101.2.133:443 | fast.a.klaviyo.com | tcp |
| BE | 74.125.206.154:443 | stats.g.doubleclick.net | tcp |
| US | 151.101.2.133:443 | fast.a.klaviyo.com | tcp |
| US | 151.101.2.133:443 | fast.a.klaviyo.com | tcp |
| CA | 23.227.38.33:443 | shop.app | tcp |
| GB | 104.77.160.212:443 | analytics.pangle-ads.com | tcp |
| US | 104.26.8.198:443 | bundle.thimatic-apps.com | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 142.250.187.195:443 | www.google.co.uk | tcp |
| CA | 23.227.38.74:443 | www.lttstore.com | tcp |
| GB | 68.70.192.128:443 | cdn1.judge.me | tcp |
| US | 172.67.209.87:443 | app.backinstock.org | tcp |
| BE | 74.125.206.154:443 | stats.g.doubleclick.net | udp |
| GB | 142.250.187.195:443 | www.google.co.uk | udp |
| US | 34.120.57.242:443 | monorail-edge.shopifysvc.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| GB | 92.123.128.162:443 | www.bing.com | tcp |
| GB | 23.214.133.66:443 | cxcs.microsoft.net | tcp |
| GB | 2.18.66.74:443 | tcp | |
| GB | 2.18.66.74:443 | tcp | |
| GB | 92.123.128.185:443 | r.bing.com | tcp |
| GB | 92.123.128.185:443 | r.bing.com | tcp |
| GB | 92.123.128.185:443 | r.bing.com | tcp |
| GB | 92.123.128.185:443 | r.bing.com | tcp |
| GB | 92.123.128.185:443 | r.bing.com | tcp |
| GB | 92.123.128.185:443 | r.bing.com | tcp |
| GB | 51.105.71.136:443 | browser.pipe.aria.microsoft.com | tcp |
Files
C:\fa13f525a490c1d506ed20\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
C:\fa13f525a490c1d506ed20\SetupEngine.dll
| MD5 | 84c1daf5f30ff99895ecab3a55354bcf |
| SHA1 | 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a |
| SHA256 | 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd |
| SHA512 | e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3 |
C:\fa13f525a490c1d506ed20\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
C:\fa13f525a490c1d506ed20\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFIB027.tmp.html
| MD5 | 0cb782ce8dedc03e97d38741f494deb5 |
| SHA1 | 275a6d497aee85fd15ba3775c96a7222eb0c08ef |
| SHA256 | b19a6b8c9b9f276ecad430f6cd0b4badb8b48cbab9ae23c843751556eb51725b |
| SHA512 | f423a94728bc9118b0975ef10297df4e33d917c1378b3b19feca52aef6cd207fba02d80a7ed26e898f537277e3824cf36e0c90ff7fcb64a74f33294103a0e812 |
C:\fa13f525a490c1d506ed20\UiInfo.xml
| MD5 | 8b8b0a935dc591799a0c6d52fdc33460 |
| SHA1 | ce2748bd469aad6e90b06d98531084d00611fb89 |
| SHA256 | 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159 |
| SHA512 | 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76 |
C:\fa13f525a490c1d506ed20\ParameterInfo.xml
| MD5 | 7213da83e0f0b8ae4fea44ae1cb7f62b |
| SHA1 | f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3 |
| SHA256 | 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9 |
| SHA512 | 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0 |
C:\fa13f525a490c1d506ed20\1025\LocalizedData.xml
| MD5 | c5bf74c96a711b3f7004ca6bddecc491 |
| SHA1 | 4c4d42ff69455f267ce98f1db8f2c5d76a1046da |
| SHA256 | 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66 |
| SHA512 | 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9 |
C:\fa13f525a490c1d506ed20\1029\LocalizedData.xml
| MD5 | 0b6ed582eb557573e959e37ebe2fca6a |
| SHA1 | 82c19c7eafb28593f453341eca225873fb011d4c |
| SHA256 | 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc |
| SHA512 | aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759 |
C:\fa13f525a490c1d506ed20\3082\LocalizedData.xml
| MD5 | 2d54fe70376db0218e8970b28c1c4518 |
| SHA1 | 83ee9ac93142751f23d5bb858f7264e27ea2eab0 |
| SHA256 | d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd |
| SHA512 | 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30 |
C:\fa13f525a490c1d506ed20\3076\LocalizedData.xml
| MD5 | 967a6d769d849c5ed66d6f46b0b9c5a4 |
| SHA1 | c0ff5f094928b2fa8b61e97639c42782e95cc74f |
| SHA256 | 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542 |
| SHA512 | 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c |
C:\fa13f525a490c1d506ed20\2070\LocalizedData.xml
| MD5 | 7fa9926a4bc678e32e5d676c39f8fb97 |
| SHA1 | bba4311dd30261a9b625046f8a6ea215516c9213 |
| SHA256 | a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404 |
| SHA512 | e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6 |
C:\fa13f525a490c1d506ed20\2052\LocalizedData.xml
| MD5 | 10da125eeabcbb45e0a272688b0e2151 |
| SHA1 | 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93 |
| SHA256 | 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec |
| SHA512 | d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710 |
C:\fa13f525a490c1d506ed20\1055\LocalizedData.xml
| MD5 | 65e771fed28b924942a10452bbbf5c42 |
| SHA1 | 586921b92d5fb297f35effc2216342dac1ae2355 |
| SHA256 | 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2 |
| SHA512 | d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7 |
C:\fa13f525a490c1d506ed20\1053\LocalizedData.xml
| MD5 | b3b1a89458bec6af82c5386d26639b59 |
| SHA1 | d9320b8cc862f40c65668a40670081079b63cea1 |
| SHA256 | 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0 |
| SHA512 | 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf |
C:\fa13f525a490c1d506ed20\1049\LocalizedData.xml
| MD5 | 349b52a81342a7afb8842459e537ecc6 |
| SHA1 | 6268343e82fbbabe7618bd873335a8f9f84ed64d |
| SHA256 | 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5 |
| SHA512 | ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49 |
C:\fa13f525a490c1d506ed20\1046\LocalizedData.xml
| MD5 | a03d2063d388fc7a1b4c36d85efa5a1a |
| SHA1 | 88bd5e2ff285ee421ccc523f7582e05a8c3323f8 |
| SHA256 | 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3 |
| SHA512 | 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0 |
C:\fa13f525a490c1d506ed20\1045\LocalizedData.xml
| MD5 | bdb583c7a48f811be3b0f01fcea40470 |
| SHA1 | e8453946a6b926e4f4ae5b02ba1d648daf23e133 |
| SHA256 | 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8 |
| SHA512 | 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d |
C:\fa13f525a490c1d506ed20\1044\LocalizedData.xml
| MD5 | 120104fa24709c2a9d8efc84ff0786cd |
| SHA1 | b513fa545efae045864d8527a5ec6b6cebe31bb9 |
| SHA256 | 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947 |
| SHA512 | 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325 |
C:\fa13f525a490c1d506ed20\1043\LocalizedData.xml
| MD5 | 6506b4e64ebf6121997fa227e762589f |
| SHA1 | 71bc1478c012d9ec57fc56a5266dd325b7801221 |
| SHA256 | 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c |
| SHA512 | 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2 |
C:\fa13f525a490c1d506ed20\1042\LocalizedData.xml
| MD5 | 78c16da54542c9ed8fa32fed3efaf10d |
| SHA1 | ad8cfe972c8a418c54230d886e549e00c7e16c40 |
| SHA256 | e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1 |
| SHA512 | d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf |
C:\fa13f525a490c1d506ed20\1041\LocalizedData.xml
| MD5 | 64ffa6ff8866a15aff326f11a892bead |
| SHA1 | 378201477564507a481ba06ea1bc0620b6254900 |
| SHA256 | 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf |
| SHA512 | ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2 |
C:\fa13f525a490c1d506ed20\1040\LocalizedData.xml
| MD5 | eda1ec689d45c7faa97da4171b1b7493 |
| SHA1 | 807fe12689c232ebd8364f48744c82ca278ea9e6 |
| SHA256 | 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36 |
| SHA512 | 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c |
C:\fa13f525a490c1d506ed20\1038\LocalizedData.xml
| MD5 | 89d4356e0f226e75ca71d48690e8ec15 |
| SHA1 | 2336caa971527977f47512bc74e88cec3f770c7d |
| SHA256 | fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385 |
| SHA512 | fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e |
C:\fa13f525a490c1d506ed20\1037\LocalizedData.xml
| MD5 | 16e6416756c1829238ef1814ebf48ad6 |
| SHA1 | c9236906317b3d806f419b7a98598dd21e27ad64 |
| SHA256 | c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea |
| SHA512 | aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6 |
C:\fa13f525a490c1d506ed20\1036\LocalizedData.xml
| MD5 | 1dad88faed661db34eef535d36563ee2 |
| SHA1 | 0525b2f97eddbd26325fddc561bf8a0cda3b0497 |
| SHA256 | 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6 |
| SHA512 | ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc |
C:\fa13f525a490c1d506ed20\1035\LocalizedData.xml
| MD5 | 1aa252256c895b806e4e55f3ea8d5ffb |
| SHA1 | 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d |
| SHA256 | 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f |
| SHA512 | ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63 |
C:\fa13f525a490c1d506ed20\1032\LocalizedData.xml
| MD5 | 3bf8da35b14fbcc564e03f6342bb71f2 |
| SHA1 | 8f9139f0bb813bf95f8c437548738d32848d8940 |
| SHA256 | 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d |
| SHA512 | 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03 |
C:\fa13f525a490c1d506ed20\1031\LocalizedData.xml
| MD5 | 8505219c0a8d950ff07dc699d8208309 |
| SHA1 | 7a557356c57f1fa6d689ea4c411e727438ac46df |
| SHA256 | c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a |
| SHA512 | 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419 |
C:\fa13f525a490c1d506ed20\1030\LocalizedData.xml
| MD5 | 69925e463a6fedce8c8e1b68404502fb |
| SHA1 | 76341e490a432a636ed721f0c964fd9026773dd7 |
| SHA256 | 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7 |
| SHA512 | 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220 |
C:\fa13f525a490c1d506ed20\1033\LocalizedData.xml
| MD5 | 326518603d85acd79a6258886fc85456 |
| SHA1 | f1cef14bc4671a132225d22a1385936ad9505348 |
| SHA256 | 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577 |
| SHA512 | f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3 |
C:\fa13f525a490c1d506ed20\SplashScreen.bmp
| MD5 | 0966fcd5a4ab0ddf71f46c01eff3cdd5 |
| SHA1 | 8f4554f079edad23bcd1096e6501a61cf1f8ec34 |
| SHA256 | 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3 |
| SHA512 | a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce |
C:\fa13f525a490c1d506ed20\SetupUi.dll
| MD5 | eb881e3dddc84b20bd92abcec444455f |
| SHA1 | e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1 |
| SHA256 | 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7 |
| SHA512 | 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75 |
C:\fa13f525a490c1d506ed20\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
C:\fa13f525a490c1d506ed20\1033\SetupResources.dll
| MD5 | 9547d24ac04b4d0d1dbf84f74f54faf7 |
| SHA1 | 71af6001c931c3de7c98ddc337d89ab133fe48bb |
| SHA256 | 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34 |
| SHA512 | 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f |
C:\fa13f525a490c1d506ed20\Strings.xml
| MD5 | 8a28b474f4849bee7354ba4c74087cea |
| SHA1 | c17514dfc33dd14f57ff8660eb7b75af9b2b37b0 |
| SHA256 | 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b |
| SHA512 | a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369 |
memory/1612-267-0x0000000003070000-0x0000000003071000-memory.dmp
C:\fa13f525a490c1d506ed20\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
C:\fa13f525a490c1d506ed20\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
C:\fa13f525a490c1d506ed20\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
C:\fa13f525a490c1d506ed20\graphics\warn.ico
| MD5 | b2b1d79591fca103959806a4bf27d036 |
| SHA1 | 481fd13a0b58299c41b3e705cb085c533038caf5 |
| SHA256 | fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11 |
| SHA512 | 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2 |
memory/1612-272-0x0000000003070000-0x0000000003071000-memory.dmp
\??\pipe\LOCAL\crashpad_2384_JKGOTMLUIPLWQHDR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c22f834647f3dcec70abd8f8f555ab1e |
| SHA1 | 0bdbc237d01e3465c5038e1553e696238a73fe5e |
| SHA256 | 9e6d503798fc59c4d49790b60f5ca106264eb07445aaa487be10bc671bf58d23 |
| SHA512 | 7f1df17ed61e97748d384b098b6e05d03100032b11618844d7bb4f1581901c80269bf0b1003d2673ca7caab6dfacc01d02e51ce191fd655b45b7961438459b2e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1af81afc9793ac587bf5b0eb25f30d1b |
| SHA1 | b6e2e7ffe8b9f9c869954e716fdb5a4c9a3c19f7 |
| SHA256 | 98c6b3605c3648999d55475e036d8ed199f1c19e8451e1a47b2ea7eb9bbc6036 |
| SHA512 | b6f893104fb98fdbd50d386cf6d25c1bb7c7792532576ac1209b0b6fa783e2bea8022d1e25dd8b43a504dac6b479e85eb210a3fd097027b459c37b9403c9f95a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 89703f27d619d69de168b4660698ee2c |
| SHA1 | f1b692bc07e384438ace12a2377813d8e44c66e1 |
| SHA256 | 8ccc7d2eece5b3cf5aa9efccc97867caaa59c5355731529c55725015fc1a2920 |
| SHA512 | f8b7817b092ac7f5c5597570253dce1ea0655a746387a771316fb26b9cc5452cf19eaf4aa10ab1e55526f3357312b1dbb43e57cc8becf0c633ca039f3b71d526 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
| MD5 | 208093c34b58a5aa788e60af23f71a98 |
| SHA1 | fb0b00c4cecff042ae31f6ef67b2227f4ec8cea3 |
| SHA256 | bfd8f2ceeb4405b1d496b3657c914e6818b22a53692cdc5927c8b12649c91c93 |
| SHA512 | 4991464e37a886ce0a67c8dff37337c7c65c12504e15a673154cf5f5f774e65fc6fb7caadd6c516df2f6dd05383eb58f0afb94c5b6c4b36c96d3791268d95fb9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
| MD5 | 37066490ab42961d646e76b003fc3b2b |
| SHA1 | 7d4b4a4874c127bcb08a0b3d9716294182c71eb3 |
| SHA256 | e11a3e3a214352b6cfdd8efa3e8495bbcb562d9fdbdc7722e9e2baab4c70afef |
| SHA512 | 0bc10cf89b76143830fa5059f8190fd9a4ee94782ff4cc14fbcb6120f095db9409f453ec8d94e5c594da8acffc514e1c8ac3fb474686197a8e1e99b5ca225aca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3882a83e23358d6bc60a97248fe763af |
| SHA1 | 1557ff42a208bf1c0c42eb00b9f43c4d2791ac06 |
| SHA256 | bd6fb7133a78865dd9ed73d6458e8b6bf8198eba39f08c08bfd70b9a2e3e53e4 |
| SHA512 | 7a28d59c33ba2bb0d0c8809dd6b597905a40942fac0e7a0274717860f7b64b7659766d21a3bcc83d453bfa59e2eebaa1c7d89324cf88e15d8124a9de37035004 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e035dbc0cb142dcd0d12060903b55302 |
| SHA1 | 66aeb427252e77cd3f3ad1e626ab683d7e6c2b9d |
| SHA256 | 7ec8d1ab472dccd21fe89a7b3057829c8ae56ea5b6fd26998a51c9a028b57f0e |
| SHA512 | c388446c2cc4df5c77d8632db48d21aa9171cac0dc4c8146a30ac644e431755888123c080c4e77b7aebd0b53db65a5c62596f2a075955268889f6a783ad47cc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d6a886af3bf8c37d9719cc6309c05e0a |
| SHA1 | dca701ba3c618ce11b52172b2a6ab5272e2023d1 |
| SHA256 | c19e4a4c32680701645e02473c1240cbdc1f92116c6c3f25dc42e98aa4aa2248 |
| SHA512 | 0256e1049491c4c1c601c1514de4a936d88a6533fbc985fe7aaab0422a1cf40dfd2b97b33d738c21b351057380f469261f13a80db67ba026b3bdb1c593d653a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 22353fe6a7f676700fe61d988c1fed4d |
| SHA1 | 59a4ca00b2ae5fc5c5fc432ec73443ca002bb34a |
| SHA256 | 462accdf66add5e2e2dc8afe439b65dae35687715fd0c0e9af31695de540a2f5 |
| SHA512 | b4264185d5131390c802a6b8298f1a350006887b356399ea9fc219c0ec08418b02441b9a3211d0daecabbce89f49c4ee725843320e9c53daa6f48e0b83aaf816 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c29d0e8fb7dff1e6f3fcaa7c68d99c4d |
| SHA1 | 8137c373542a71ac12e617340bf9d8e9ba1c1173 |
| SHA256 | ed86c50df02d68438a1a8704aea4ccd3ac6d354025b587fb246c753ce74b38e9 |
| SHA512 | 5b3b2c6e3b7a428febdcd7d008a6bfb33ec93101d399c5d7a8bad7cbf72a3c400a39a0bad2cce7ff03d96aeb744a591a379db835b14b4c7d59a0f9e45c9d3490 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d29eee21-7d5f-4016-85a2-556cb9e47cc3.tmp
| MD5 | 439d23c2b076ffda7ff055f77d8a20c4 |
| SHA1 | d1d875f38474b7353a19d4c7bed51c192a405845 |
| SHA256 | 024b65f927de91ae6ad824eff47ecda4a192062636dade6ebecff53b0c6f897f |
| SHA512 | a12494ba9d153377675909e2a982d413ceff95c325fef981a6c0da25941fa96b5e463e6ae70e0d6a20e34fce841e84b05c486c1f70ec5b05889954e3dc84c251 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cfbd4f932208737caf80f68163a296d8 |
| SHA1 | bcf79586f0f446c73935f17abb688517a0539f41 |
| SHA256 | 7137d2de96eec96eb38c3c60a6221f6e1e026384cf335a51e0d135c1c5d0fd4d |
| SHA512 | 967fe1cc4e98badbae6f96d9258a08e5393bb7f13befef35cfcfe54bc7f41ce8dd973bd6d46fa4aa0c63d6b7d24f609f7a92cddaf0fb4660b9fb88fe0e71b96d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | 06400df31dc4d11772f23cc377266d79 |
| SHA1 | 0ebfdd068a63a82fbdd6be53d69218e71ef4932f |
| SHA256 | 90c88af959a5ec923218cb44cebe8623c72784502aa258cc42eec9377180f262 |
| SHA512 | 5a45f5c7866f937bb64d00a355d973cb2e3a8fb3e24aa0ea45d4a3f5810614f31c1eb47ab3a57f34c2eed38fa9e01c20be5ac0cfefa04041aeb5528282be40c7 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:01
Platform
win11-20231215-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231222-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe | N/A |
Checks installed software on the system
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 3752 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe | C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe |
| PID 1628 wrote to memory of 3752 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe | C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe |
| PID 1628 wrote to memory of 3752 | N/A | C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe | C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe
"C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe"
C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe
"C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\funni game\_Redist\vcredist_2015-2019_x86.exe" -burn.filehandle.attached=552 -burn.filehandle.self=576
Network
Files
C:\Windows\Temp\{D00399F0-5D6E-42F7-A38D-89BCF3F196D3}\.cr\vcredist_2015-2019_x86.exe
| MD5 | 2f9d2b6ce54f9095695b53d1aa217c7b |
| SHA1 | 3f54934c240f1955301811d2c399728a3e6d1272 |
| SHA256 | 0009d3f27837c3af3f6fff7973faf07afaa4b53119846f55b6f2a79f1759c757 |
| SHA512 | 692857f960f26039c7b0af6329e65a71e8588ff71eaac6b956bd6e437994a8d5a470c7e75dd776e0772e473967b64d5ea0e1d8396546691316daf4d6b8ccc237 |
C:\Windows\Temp\{ABF39DFD-B94D-4439-A2C8-9641877CDFB1}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{ABF39DFD-B94D-4439-A2C8-9641877CDFB1}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral17
Detonation Overview
Submitted
2024-01-23 11:58
Reported
2024-01-23 12:03
Platform
win11-20231215-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\funni game\money\WinPixEventRuntime.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 167.166.122.92.in-addr.arpa | udp |