Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qs3bsahg62
Target Terraria_Rus_v1.1.2_.exe
SHA256 37440bf2f11658a00aa9a01f1f6a7b680c0a54d008413adc9070db0ce219de2e
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

37440bf2f11658a00aa9a01f1f6a7b680c0a54d008413adc9070db0ce219de2e

Threat Level: Shows suspicious behavior

The file Terraria_Rus_v1.1.2_.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Blocklisted process makes network request

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:36

Platform

win10-20240221-en

Max time kernel

128s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\steam_api.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\steam_api.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\steam_api.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:36

Platform

win10-20240319-en

Max time kernel

129s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Redist\dotNetFx40_Full_setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\499a4a0ed6ae111044cc\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\499a4a0ed6ae111044cc\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\499a4a0ed6ae111044cc\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Redist\dotNetFx40_Full_setup.exe

"C:\Users\Admin\AppData\Local\Temp\Redist\dotNetFx40_Full_setup.exe"

C:\499a4a0ed6ae111044cc\Setup.exe

C:\499a4a0ed6ae111044cc\\Setup.exe /x86 /x64 /ia64 /web

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

C:\499a4a0ed6ae111044cc\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

C:\499a4a0ed6ae111044cc\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

C:\499a4a0ed6ae111044cc\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\HFIAEBF.tmp.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\499a4a0ed6ae111044cc\UiInfo.xml

MD5 8b8b0a935dc591799a0c6d52fdc33460
SHA1 ce2748bd469aad6e90b06d98531084d00611fb89
SHA256 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159
SHA512 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76

C:\499a4a0ed6ae111044cc\ParameterInfo.xml

MD5 7213da83e0f0b8ae4fea44ae1cb7f62b
SHA1 f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3
SHA256 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9
SHA512 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0

C:\499a4a0ed6ae111044cc\SplashScreen.bmp

MD5 0966fcd5a4ab0ddf71f46c01eff3cdd5
SHA1 8f4554f079edad23bcd1096e6501a61cf1f8ec34
SHA256 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3
SHA512 a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

C:\499a4a0ed6ae111044cc\1033\LocalizedData.xml

MD5 326518603d85acd79a6258886fc85456
SHA1 f1cef14bc4671a132225d22a1385936ad9505348
SHA256 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577
SHA512 f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

C:\499a4a0ed6ae111044cc\1025\LocalizedData.xml

MD5 c5bf74c96a711b3f7004ca6bddecc491
SHA1 4c4d42ff69455f267ce98f1db8f2c5d76a1046da
SHA256 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66
SHA512 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9

C:\499a4a0ed6ae111044cc\1028\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

C:\499a4a0ed6ae111044cc\1029\LocalizedData.xml

MD5 0b6ed582eb557573e959e37ebe2fca6a
SHA1 82c19c7eafb28593f453341eca225873fb011d4c
SHA256 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc
SHA512 aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759

C:\499a4a0ed6ae111044cc\1030\LocalizedData.xml

MD5 69925e463a6fedce8c8e1b68404502fb
SHA1 76341e490a432a636ed721f0c964fd9026773dd7
SHA256 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7
SHA512 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220

C:\499a4a0ed6ae111044cc\1032\LocalizedData.xml

MD5 3bf8da35b14fbcc564e03f6342bb71f2
SHA1 8f9139f0bb813bf95f8c437548738d32848d8940
SHA256 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d
SHA512 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03

C:\499a4a0ed6ae111044cc\1031\LocalizedData.xml

MD5 8505219c0a8d950ff07dc699d8208309
SHA1 7a557356c57f1fa6d689ea4c411e727438ac46df
SHA256 c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a
SHA512 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419

C:\499a4a0ed6ae111044cc\1035\LocalizedData.xml

MD5 1aa252256c895b806e4e55f3ea8d5ffb
SHA1 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d
SHA256 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f
SHA512 ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63

C:\499a4a0ed6ae111044cc\1038\LocalizedData.xml

MD5 89d4356e0f226e75ca71d48690e8ec15
SHA1 2336caa971527977f47512bc74e88cec3f770c7d
SHA256 fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385
SHA512 fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e

C:\499a4a0ed6ae111044cc\1040\LocalizedData.xml

MD5 eda1ec689d45c7faa97da4171b1b7493
SHA1 807fe12689c232ebd8364f48744c82ca278ea9e6
SHA256 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36
SHA512 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c

C:\499a4a0ed6ae111044cc\1037\LocalizedData.xml

MD5 16e6416756c1829238ef1814ebf48ad6
SHA1 c9236906317b3d806f419b7a98598dd21e27ad64
SHA256 c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea
SHA512 aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6

C:\499a4a0ed6ae111044cc\1036\LocalizedData.xml

MD5 1dad88faed661db34eef535d36563ee2
SHA1 0525b2f97eddbd26325fddc561bf8a0cda3b0497
SHA256 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6
SHA512 ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc

C:\499a4a0ed6ae111044cc\1043\LocalizedData.xml

MD5 6506b4e64ebf6121997fa227e762589f
SHA1 71bc1478c012d9ec57fc56a5266dd325b7801221
SHA256 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c
SHA512 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2

C:\499a4a0ed6ae111044cc\1041\LocalizedData.xml

MD5 64ffa6ff8866a15aff326f11a892bead
SHA1 378201477564507a481ba06ea1bc0620b6254900
SHA256 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf
SHA512 ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2

C:\499a4a0ed6ae111044cc\1055\LocalizedData.xml

MD5 65e771fed28b924942a10452bbbf5c42
SHA1 586921b92d5fb297f35effc2216342dac1ae2355
SHA256 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2
SHA512 d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7

C:\499a4a0ed6ae111044cc\1053\LocalizedData.xml

MD5 b3b1a89458bec6af82c5386d26639b59
SHA1 d9320b8cc862f40c65668a40670081079b63cea1
SHA256 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0
SHA512 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf

C:\499a4a0ed6ae111044cc\1049\LocalizedData.xml

MD5 349b52a81342a7afb8842459e537ecc6
SHA1 6268343e82fbbabe7618bd873335a8f9f84ed64d
SHA256 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5
SHA512 ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49

C:\499a4a0ed6ae111044cc\1046\LocalizedData.xml

MD5 a03d2063d388fc7a1b4c36d85efa5a1a
SHA1 88bd5e2ff285ee421ccc523f7582e05a8c3323f8
SHA256 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3
SHA512 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

C:\499a4a0ed6ae111044cc\2070\LocalizedData.xml

MD5 7fa9926a4bc678e32e5d676c39f8fb97
SHA1 bba4311dd30261a9b625046f8a6ea215516c9213
SHA256 a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404
SHA512 e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6

C:\499a4a0ed6ae111044cc\2052\LocalizedData.xml

MD5 10da125eeabcbb45e0a272688b0e2151
SHA1 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93
SHA256 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec
SHA512 d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

C:\499a4a0ed6ae111044cc\1045\LocalizedData.xml

MD5 bdb583c7a48f811be3b0f01fcea40470
SHA1 e8453946a6b926e4f4ae5b02ba1d648daf23e133
SHA256 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8
SHA512 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d

C:\499a4a0ed6ae111044cc\1044\LocalizedData.xml

MD5 120104fa24709c2a9d8efc84ff0786cd
SHA1 b513fa545efae045864d8527a5ec6b6cebe31bb9
SHA256 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947
SHA512 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325

C:\499a4a0ed6ae111044cc\1042\LocalizedData.xml

MD5 78c16da54542c9ed8fa32fed3efaf10d
SHA1 ad8cfe972c8a418c54230d886e549e00c7e16c40
SHA256 e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1
SHA512 d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf

C:\499a4a0ed6ae111044cc\3082\LocalizedData.xml

MD5 2d54fe70376db0218e8970b28c1c4518
SHA1 83ee9ac93142751f23d5bb858f7264e27ea2eab0
SHA256 d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd
SHA512 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30

C:\499a4a0ed6ae111044cc\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

C:\499a4a0ed6ae111044cc\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

C:\499a4a0ed6ae111044cc\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

C:\499a4a0ed6ae111044cc\Strings.xml

MD5 8a28b474f4849bee7354ba4c74087cea
SHA1 c17514dfc33dd14f57ff8660eb7b75af9b2b37b0
SHA256 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b
SHA512 a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

memory/4912-267-0x0000000001030000-0x0000000001031000-memory.dmp

C:\499a4a0ed6ae111044cc\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

C:\499a4a0ed6ae111044cc\graphics\warn.ico

MD5 b2b1d79591fca103959806a4bf27d036
SHA1 481fd13a0b58299c41b3e705cb085c533038caf5
SHA256 fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11
SHA512 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

C:\499a4a0ed6ae111044cc\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

C:\499a4a0ed6ae111044cc\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

memory/4912-272-0x0000000001030000-0x0000000001031000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:36

Platform

win10-20240221-en

Max time kernel

127s

Max time network

139s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Redist\xnafx40_redist.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Redist\xnafx40_redist.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:35

Platform

win10-20240221-en

Max time kernel

132s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Terraria.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Terraria.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Terraria.exe

"C:\Users\Admin\AppData\Local\Temp\Terraria.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 772

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/2188-0-0x0000000000880000-0x00000000009EC000-memory.dmp

memory/2188-1-0x0000000073280000-0x000000007396E000-memory.dmp

memory/2188-2-0x0000000073280000-0x000000007396E000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:35

Platform

win10-20240214-en

Max time kernel

128s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TerrariaServer.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\TerrariaServer.exe

"C:\Users\Admin\AppData\Local\Temp\TerrariaServer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 804

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.110.86.104.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

memory/3440-0-0x0000000000340000-0x0000000000348000-memory.dmp

memory/3440-1-0x0000000004D60000-0x0000000004ECC000-memory.dmp

memory/3440-2-0x00000000736D0000-0x0000000073DBE000-memory.dmp

memory/3440-3-0x00000000736D0000-0x0000000073DBE000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:36

Platform

win10-20240221-en

Max time kernel

140s

Max time network

155s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\start-server.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\TerrariaServer.exe
PID 4856 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\TerrariaServer.exe
PID 4856 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\TerrariaServer.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\start-server.bat"

C:\Users\Admin\AppData\Local\Temp\TerrariaServer.exe

TerrariaServer.exe -config serverconfig.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 800

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 217.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/4356-0-0x0000000000690000-0x0000000000698000-memory.dmp

memory/4356-1-0x0000000073BA0000-0x000000007428E000-memory.dmp

memory/4356-2-0x0000000005020000-0x000000000518C000-memory.dmp

memory/4356-3-0x0000000073BA0000-0x000000007428E000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:35

Platform

win10-20240221-en

Max time kernel

132s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 09820f817dbda346df79cf7e4783d1c0
SHA1 19de41e955f8603afe293faf084180deef0a16cf
SHA256 25d1cf0981a9dc5e199a49e7daa4648ad2899d208a44c52e62717ed5d511208c
SHA512 3ec04c7d9673976485be7f8bb0cf08e24dc48a0f1f0fc82044bd52433514ea7f0b569a35c7dea21ca4a0579130549e9ce7a807dc1522fb5b64da4ff2e343051b

\Users\Admin\AppData\Local\Temp\nsm64E5.tmp\LangDLL.dll

MD5 a401e590877ef6c928d2a97c66157094
SHA1 75e24799cf67e789fadcc8b7fddefc72fdc4cd61
SHA256 2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0
SHA512 6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:35

Platform

win10-20240221-en

Max time kernel

128s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4636 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4636 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4636 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 144.111.86.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:36

Platform

win10-20240221-en

Max time kernel

73s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Terraria_Rus_v1.1.2_.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Terraria_Rus_v1.1.2_.exe

"C:\Users\Admin\AppData\Local\Temp\Terraria_Rus_v1.1.2_.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Games\Terraria Rus v1.1.2\Content\Images\logo_3.xnb

MD5 655d54005f8c96c9c923356bc7581d4b
SHA1 0eeb07502a72367be98de6e9eefc5cd3679ce759
SHA256 262a2cbb910499f1df5c42d3beb7ad57f06430818d032caf14339d678f74bed4
SHA512 d791d0e96afda290fbc6fc4b6281ad1c0daba597e455f5f19fde079865862a94f4b7f4435d35d64dc1aa6bb0f120c3595691e78040eec7cfd8204c3f543780c1

C:\Games\Terraria Rus v1.1.2\Content\Images\Projectile_0.xnb

MD5 eaf42d1d54299d875b04d7efc0178b55
SHA1 81696a2884c91242587db1bc1ee3292ad2e7505e
SHA256 d9dadc633063a54f6532cb102da9fe7318dc4faf6c078ffca0d9dc79634662dc
SHA512 ad3cc7a6934e4272b4dd25a4469ddc6b8e8c36a081c12c75786f5be702bcfa4fbe1b6e0d4be54330653def26d5b276e78da9c29e2174468e60e57a9cc28ef3d1

C:\Games\Terraria Rus v1.1.2\Content\Images\Projectile_11.xnb

MD5 1926de24a018d1799b346e16e2d4d51c
SHA1 5ef6cfdd73e71d2173282b26892f20dad9d0d5c1
SHA256 f2e26aa99941b4e11d7720601ecbb2e576c7e48115cde5472edb9e02f993f4ba
SHA512 59162e2d72aa0212b2df702203ad4a97e223cf815074072fa9ea411790d61d8de90f7ef1b85f89c419dd9cf6a9376923ccd6346c2ec1abc940638e1c6902964f

C:\Games\Terraria Rus v1.1.2\Content\Images\Projectile_12.xnb

MD5 c9170a38acfb6b2fb5767dd2cbff5f39
SHA1 106db1827232427f1ef95a7291130537080ff537
SHA256 1b14d6e89e878211b49bcd8c01e3b16d47258489b3103741d3c06c5052503239
SHA512 1dafda1351d0a38542bf6dca4cda297f144d21fd286e80fa3b6cc688050e084390c2cd1e34c80f92e6f263b328383fc774fea4d1dac97f51d93b93dd716e3a19

C:\Games\Terraria Rus v1.1.2\Content\Images\Projectile_85.xnb

MD5 4d00f87002e745cc8e54a94449b69d95
SHA1 3a1f1f4089bb3746cc49da6791cb876442639570
SHA256 44ebf39a8ca3a54957166f3bba9cde9819bf4018af84d12e1df6cd6b4ab67965
SHA512 020447a37df8e6917ce885e1b76f7a615b3ad022f355673472c7b161923bf2d16f3e083d7d4037b435726b797744879065a92a8de59c056fd8847ba5754d8c4b

C:\Games\Terraria Rus v1.1.2\Content\Images\Projectile_96.xnb

MD5 39fdf8260ec666cbbde43cfe52476a89
SHA1 02c92a8fcd84913ab5a96d0a081db74fd76db57b
SHA256 90e74ef003ec60ac76bfa91d185e7615dbfb871e0295c642a50b0bc18334f2c2
SHA512 18956b52aef0e9362e067798432f927f93c003d962b032d07f6354dd92201160d3e3f58249c733eccb553e8fe99ff3c9e6ec8f0157216895be7c4e8739d7ab3d

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:36

Platform

win10-20240221-en

Max time kernel

128s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Redist\dxwebsetup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Redist\dxwebsetup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET9E93.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET9E93.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET9E82.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET9E82.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Redist\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\Redist\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 eaa6b5ee297982a6a396354814006761
SHA1 780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256 d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512 ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 0a23038ea472ffc938366ef4099d6635
SHA1 6499d741776dc4a446c22ea11085842155b34176
SHA256 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512 dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

MD5 7672509436485121135c2a0e30b9e9ff
SHA1 f557022a9f42fe1303078093e389f21fb693c959
SHA256 d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512 e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:35

Platform

win10-20240221-en

Max time kernel

132s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Redist\vcredist_x86.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\df27a6ec0003ade1f916af3bb9962124\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\df27a6ec0003ade1f916af3bb9962124\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\df27a6ec0003ade1f916af3bb9962124\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Redist\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Redist\vcredist_x86.exe"

\??\c:\df27a6ec0003ade1f916af3bb9962124\Setup.exe

c:\df27a6ec0003ade1f916af3bb9962124\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

C:\df27a6ec0003ade1f916af3bb9962124\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\??\c:\df27a6ec0003ade1f916af3bb9962124\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

\df27a6ec0003ade1f916af3bb9962124\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\HFI5E4D.tmp.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

\??\c:\df27a6ec0003ade1f916af3bb9962124\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

\??\c:\df27a6ec0003ade1f916af3bb9962124\ParameterInfo.xml

MD5 66590f13f4c9ba563a9180bdf25a5b80
SHA1 d6d9146faeec7824b8a09dd6978e5921cc151906
SHA256 bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f
SHA512 aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

\??\c:\df27a6ec0003ade1f916af3bb9962124\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

\??\c:\df27a6ec0003ade1f916af3bb9962124\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

\??\c:\df27a6ec0003ade1f916af3bb9962124\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\df27a6ec0003ade1f916af3bb9962124\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\df27a6ec0003ade1f916af3bb9962124\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\df27a6ec0003ade1f916af3bb9962124\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\df27a6ec0003ade1f916af3bb9962124\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\??\c:\df27a6ec0003ade1f916af3bb9962124\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\df27a6ec0003ade1f916af3bb9962124\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\df27a6ec0003ade1f916af3bb9962124\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\df27a6ec0003ade1f916af3bb9962124\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

\??\c:\df27a6ec0003ade1f916af3bb9962124\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\df27a6ec0003ade1f916af3bb9962124\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\df27a6ec0003ade1f916af3bb9962124\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

memory/1604-97-0x00000000005A0000-0x00000000005A1000-memory.dmp

\??\c:\df27a6ec0003ade1f916af3bb9962124\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\df27a6ec0003ade1f916af3bb9962124\graphics\stop.ico

MD5 5dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA1 4196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256 b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA512 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

\??\c:\df27a6ec0003ade1f916af3bb9962124\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\df27a6ec0003ade1f916af3bb9962124\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

memory/1604-102-0x00000000005A0000-0x00000000005A1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-04 13:32

Reported

2024-04-04 13:35

Platform

win10-20240221-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\small-games.info.url

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000\Control Panel\International\Geo\Nation C:\Windows\System32\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "494" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\small-games.info\Total = "116" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\ = "340" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\small-games.info\NumberOfSub = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\small-games.info\Total = "39" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "842" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "419019173" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\small-games.info\NumberOfSub = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 90e5a3b39486da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\small-games.info\ = "39" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\small-games.info\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\small-games.info\Total = "87" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "102" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 82183fc79486da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\Total = "152" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\small-games.info\Total = "147" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\small-games.info\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\vk.com\NumberOfSubdomains = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "190" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c91830c29486da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 648 wrote to memory of 2584 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\small-games.info.url

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 small-games.info udp
US 104.21.36.195:80 small-games.info tcp
US 104.21.36.195:80 small-games.info tcp
US 104.21.36.195:443 small-games.info tcp
US 8.8.8.8:53 195.36.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.19.169.32:80 x2.c.lencr.org tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 cdn4.iconfinder.com udp
US 8.8.8.8:53 mc.yandex.ru udp
GB 142.250.187.234:443 ajax.googleapis.com tcp
GB 142.250.187.234:443 ajax.googleapis.com tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
GB 142.250.187.214:443 i.ytimg.com tcp
GB 142.250.187.214:443 i.ytimg.com tcp
RU 87.250.250.119:443 mc.yandex.ru tcp
RU 87.250.250.119:443 mc.yandex.ru tcp
US 172.66.42.211:443 cdn4.iconfinder.com tcp
US 172.66.42.211:443 cdn4.iconfinder.com tcp
US 8.8.8.8:53 cdn.fartmoda.com udp
US 8.8.8.8:53 ad.admitad.com udp
US 8.8.8.8:53 counter.yadro.ru udp
US 8.8.8.8:53 ssl.google-analytics.com udp
NL 193.200.65.30:443 cdn.fartmoda.com tcp
NL 193.200.65.30:443 cdn.fartmoda.com tcp
RU 88.212.202.52:443 counter.yadro.ru tcp
RU 88.212.202.52:443 counter.yadro.ru tcp
DE 185.26.99.247:443 ad.admitad.com tcp
DE 185.26.99.247:443 ad.admitad.com tcp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 vk.com udp
RU 87.240.132.67:443 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
US 8.8.8.8:53 track.fartmoda.com udp
NL 193.200.65.116:443 track.fartmoda.com tcp
NL 193.200.65.116:443 track.fartmoda.com tcp
US 8.8.8.8:53 track.analitycs.net udp
NL 193.200.65.116:443 track.analitycs.net tcp
NL 193.200.65.116:443 track.analitycs.net tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 214.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 211.42.66.172.in-addr.arpa udp
US 8.8.8.8:53 119.250.250.87.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 30.65.200.193.in-addr.arpa udp
US 8.8.8.8:53 40.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 247.99.26.185.in-addr.arpa udp
US 8.8.8.8:53 52.202.212.88.in-addr.arpa udp
US 8.8.8.8:53 67.132.240.87.in-addr.arpa udp
US 8.8.8.8:53 116.65.200.193.in-addr.arpa udp
US 104.21.36.195:443 small-games.info tcp
US 104.21.36.195:443 small-games.info tcp
US 8.8.8.8:53 mc.yandex.com udp
GB 2.19.169.32:80 x2.c.lencr.org tcp
RU 87.250.251.119:443 mc.yandex.com tcp
RU 87.250.251.119:443 mc.yandex.com tcp
US 8.8.8.8:53 st6-21.vk.com udp
NL 95.142.206.1:443 st6-21.vk.com tcp
NL 95.142.206.1:443 st6-21.vk.com tcp
GB 2.19.169.32:80 x2.c.lencr.org tcp
NL 95.142.206.1:443 st6-21.vk.com tcp
NL 95.142.206.1:443 st6-21.vk.com tcp
NL 95.142.206.1:443 st6-21.vk.com tcp
US 8.8.8.8:53 119.251.250.87.in-addr.arpa udp
US 8.8.8.8:53 1.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 top-fwz1.mail.ru udp
RU 95.163.52.67:443 top-fwz1.mail.ru tcp
RU 95.163.52.67:443 top-fwz1.mail.ru tcp
US 8.8.8.8:53 67.52.163.95.in-addr.arpa udp
US 8.8.8.8:53 privacy-cs.mail.ru udp
RU 95.163.52.89:443 privacy-cs.mail.ru tcp
RU 95.163.52.89:443 privacy-cs.mail.ru tcp
US 8.8.8.8:53 89.52.163.95.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.128.148:443 www.bing.com tcp
GB 92.123.128.148:443 www.bing.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 148.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 95.163.52.67:443 top-fwz1.mail.ru tcp
RU 95.163.52.67:443 top-fwz1.mail.ru tcp

Files

memory/5032-0-0x0000020BCC320000-0x0000020BCC330000-memory.dmp

memory/5032-16-0x0000020BCC520000-0x0000020BCC530000-memory.dmp

memory/5032-35-0x0000020BCB4E0000-0x0000020BCB4E2000-memory.dmp

memory/2584-86-0x00000154AA6D0000-0x00000154AA6D2000-memory.dmp

memory/2584-91-0x00000154AA800000-0x00000154AA802000-memory.dmp

memory/2584-93-0x00000154AA820000-0x00000154AA822000-memory.dmp

memory/2584-141-0x00000154BBEF0000-0x00000154BBEF2000-memory.dmp

memory/2584-139-0x00000154BBED0000-0x00000154BBED2000-memory.dmp

memory/2584-136-0x00000154BBEA0000-0x00000154BBEA2000-memory.dmp

memory/2584-154-0x00000154BBA60000-0x00000154BBA80000-memory.dmp

memory/2584-153-0x00000154BB9C0000-0x00000154BB9E0000-memory.dmp

memory/2584-173-0x00000154BCE80000-0x00000154BCE82000-memory.dmp

memory/2584-178-0x00000154BDB90000-0x00000154BDC90000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\IUY6W5C0\small-games[1].xml

MD5 4bb3223c8d6bb24ad999184c57f79a09
SHA1 0cd4403d7aeae3fc6b936315c1b28f2e68a81c33
SHA256 b2df112069723f16bb09f5fe170c21bbe64ee3282ed178c3c5b99d665667b09f
SHA512 cb12a89ec8696de06ed34315c693fea0b3f718970157906edc99ed92bd6d240291d935dc66c2abc85808a13497d7080eaa1e52340406414f389992a98c54b747

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\IUY6W5C0\small-games[1].xml

MD5 6971615543a997415332b89345e66b4f
SHA1 3c21ad6ea63757a18e302a03c76c7a5c81c93d5d
SHA256 0ae1330b67397eefcd1c8147a9d8bcdf5c4f6efa88848783c3cc34cb6ef6e888
SHA512 6cd5cbdc8a178e577863cfaf0089781e8bfdfc1a2951af5703a583571ae148316251b43adf928a45728891b54480a8c93cb2c043149a0763bb9e7c28fd29f927

memory/2584-229-0x00000154BE1B0000-0x00000154BE2B0000-memory.dmp

memory/2584-232-0x00000154BE1B0000-0x00000154BE2B0000-memory.dmp

memory/2584-239-0x00000154BB9F0000-0x00000154BB9F2000-memory.dmp

memory/2584-243-0x00000154BBA80000-0x00000154BBA82000-memory.dmp

memory/5032-280-0x0000020BD2B00000-0x0000020BD2B01000-memory.dmp

memory/5032-281-0x0000020BD2B10000-0x0000020BD2B11000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\HH1VPV0V\favicon[1].ico

MD5 2a913dbd3744e7021cab39a02f60e7e9
SHA1 6e86a56aacb1c1339fa0d7f332694438a8aa76b1
SHA256 118d40b9d4fe561f8cbb4e97e063f0564881efbf9b9db02b57912d659dfe13d2
SHA512 8e6d1a93d0e2262020f1ddc493c8fdc402e0faba9c78dd6403de141c2acd182333996a30f1342a5c055796b1aa9d7316f706f4a2c0ff305e9e4d982b482a2548

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\IUY6W5C0\small-games[1].xml

MD5 a1b75717128c6202c22e94b0ef7b7e05
SHA1 404c7a52d2bd5cb585f718264cbb2b875aa9bb27
SHA256 dcd75870c26f1a8bff55a4276860c2e128b8861cd97cdb60decc02629d809b17
SHA512 268cb0450032aaa0c90a6fa9ab49212149d9c27e5af14dcca377fffc7e21d7b413c02e272f0d660e41c0d34205d56e123484dbee88c96d6a1ff55ed5ce0b9218

memory/2584-321-0x00000154BEC00000-0x00000154BED00000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\2ZZRPTVO\vk[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\2ZZRPTVO\vk[1].xml

MD5 3abcf5d7d5a72c083d3176f80c396907
SHA1 06a1018e932f0e8a7e01f94cb415b7d3b03cca3e
SHA256 dd62e353856c0a25697d430f6999336bbe3ff23d53e987ea5c6d687836aa05a4
SHA512 fec88e1d5b6d4e13dcb9b3d516ead7d9ea8beab5d8777af7d27c49de894f4a233d1fec403616b3b16634e2294fc4d9496e2d0fdaea7701f58b0b8e326125c545

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\2ZZRPTVO\vk[1].xml

MD5 60ada55ca24fa8095e7ada9116f2bd88
SHA1 5a08d304df5ea10451a3ebb8dbd846cd263c5c84
SHA256 b14fb225fc9cd6732614bf3d74728bbb891acc3a9d337506b601383c9a9aefa5
SHA512 6b433b04946f45eddde3017f9ed85c45d833d87a8e8d52302ced02f97b8dee134b8127e18bc730ca5404206a3fe2ee2dd55a1f40b154edccbae918b143c31297

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E0BFK5N1\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0GHAFUHV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\2ZZRPTVO\vk[1].xml

MD5 99b9184d91e0d171051a3a62f3919505
SHA1 923a7a77a614f4f749e8dc5f8487e0c3af182594
SHA256 bb0ee1751ad354c687ed3cd6c741644d803aa292a72920006e231020b4bb6b48
SHA512 46406978f4378d2065a8a39ddedbd8fc0297257043b13c5382438f0fb1a6e3d3ca00f3807720efe4e25c24b48f56ef1a3481a85c38575fe964bbf5abf81225fe