Malware Analysis Report

2025-01-02 07:36

Sample ID 240509-3qpn5adh6t
Target CrimsonSetup.exe
SHA256 4849941ec88092a451d69a63a755e6993d739268fee0c92061a6bc95ba7a6483
Tags
privateloader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4849941ec88092a451d69a63a755e6993d739268fee0c92061a6bc95ba7a6483

Threat Level: Known bad

The file CrimsonSetup.exe was found to be: Known bad.

Malicious Activity Summary

privateloader spyware stealer

Privateloader family

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 23:45

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:43

Platform

win10-20240404-en

Max time kernel

315s

Max time network

1588s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 1636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 1636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 1636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:43

Platform

win10-20240404-en

Max time kernel

1800s

Max time network

1605s

Command Line

"C:\Windows\system32\LaunchWinApp.exe" "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F80A17D9-57CE-4D41-8D22-63C06AB6B5D5} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 90ac43f06ea2da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "421462133" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 90ac43f06ea2da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fcd963ec6ea2da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 738d36ec6ea2da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1ba049ec6ea2da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Processes

C:\Windows\system32\LaunchWinApp.exe

"C:\Windows\system32\LaunchWinApp.exe" "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 88.221.83.201:443 www.bing.com tcp
BE 88.221.83.201:443 www.bing.com tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/1308-16-0x000001CBAAD20000-0x000001CBAAD30000-memory.dmp

memory/1308-0-0x000001CBAAC20000-0x000001CBAAC30000-memory.dmp

memory/1308-35-0x000001CBA80B0000-0x000001CBA80B2000-memory.dmp

memory/2184-45-0x000001CB63A00000-0x000001CB63B00000-memory.dmp

memory/2360-50-0x000001B23A200000-0x000001B23A300000-memory.dmp

memory/2360-58-0x000001B24B090000-0x000001B24B190000-memory.dmp

memory/2360-60-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-72-0x000001B24B300000-0x000001B24B400000-memory.dmp

memory/2360-69-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-68-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-66-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-65-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-64-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-63-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-62-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-61-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-59-0x000001B24B090000-0x000001B24B190000-memory.dmp

memory/2360-67-0x000001B24A740000-0x000001B24A840000-memory.dmp

memory/2360-57-0x000001B24B090000-0x000001B24B190000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\AKM4261H\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:45

Platform

win10-20240404-en

Max time kernel

865s

Max time network

1600s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:43

Platform

win10-20240404-en

Max time kernel

314s

Max time network

1598s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4124 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4124 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4124 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:42

Platform

win10-20240404-en

Max time kernel

1800s

Max time network

1792s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrimsonSetup.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CrimsonSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\CrimsonSetup.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 60 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\CrimsonSetup.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Windows\system32\cmd.exe
PID 3472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 32 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1712 wrote to memory of 32 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
PID 3472 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CrimsonSetup.exe

"C:\Users\Admin\AppData\Local\Temp\CrimsonSetup.exe"

C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe

C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1844 --field-trial-handle=1848,i,3813452661573221480,11197652481155484402,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=2176 --field-trial-handle=1848,i,3813452661573221480,11197652481155484402,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2408 --field-trial-handle=1848,i,3813452661573221480,11197652481155484402,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 wavebysudryez.fr udp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 8.8.8.8:53 98.85.21.104.in-addr.arpa udp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 8.8.8.8:53 www.spotify.com udp
US 35.186.224.25:443 www.spotify.com tcp
US 8.8.8.8:53 www.myexternalip.com udp
US 34.117.118.44:443 www.myexternalip.com tcp
US 8.8.8.8:53 25.224.186.35.in-addr.arpa udp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\nsx730E.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsx730E.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\chrome_100_percent.pak

MD5 e4cbb48c438622a4298c7bdd75cc04f6
SHA1 6f756d31ef95fd745ba0e9c22aadb506f3a78471
SHA256 24d92bbeb63d06b01010fe230c1e3a31e667a159be7e570a8efe68f83ed9ad40
SHA512 8d3ea1b5ca74c20a336eaa29630fd76ecd32f5a56bb66e8cef2bce0fa19024ea917562fd31365081f7027dde9c8464742b833d08c8f41fdddc5bd1a74b9bc766

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\chrome_200_percent.pak

MD5 99b95d59d6817b46e9572e3354c97317
SHA1 6809db4ca8e10edd316261a3490d5fc657372c12
SHA256 55d873a9f3ac69bbf6eb6940443df8331ebd7aa57138681d615f3b89902447e7
SHA512 3071cfeb74d5058c4b7c01bfe3c6717d9bb426f3354c4d8a35bd3e16e15cde2f2c48238cb6382b0703b1cc257d87fcecfb84fbf4f597f58e64463ceede4366dd

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\ffmpeg.dll

MD5 98b4dac376d5980313bc7cddc38e5168
SHA1 940306c8f1ca9946d987be2bcb586c85b0d61999
SHA256 5795634e5f03fa1375b8a7e9655966beadbbe8681afd3c6996aa0f47959d053b
SHA512 234f9311fa92b5d250f970f59d837edd0373dffc8c5b44dc7a96a07b6e1b386264e3c84d7259fed9df1491d17113685c6039695f2edea3c931bc9a9f227c4f7f

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\icudtl.dat

MD5 62880b7d351a9f547b62b8da6c97ce25
SHA1 057f11003013cfb3f1c63e6bdd4f2f9949ff0104
SHA256 7c40c811d30d459dbf04a04c141b60eb4247cd58a008fb836605317df665748f
SHA512 0d6f83175a91d90f4cc3ec4d9071b7acd0cd8ebbcc592322e46fde2adb7198e035af62c45a11a622f2a908e26d4dd8b8d1af023e634a74d0824d02c791ba3c1a

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\libGLESv2.dll

MD5 6907ce4456aaf2282780b6f560cf7ef4
SHA1 ce54371fd09c7858ccea9f449cb60fd3f5ff5196
SHA256 555de6cbde1f9ace738c6e8b7edf35b96fc55045f09c175d6fec4bcfba206af3
SHA512 0d28296201da2eda73c36f813382255ad8b54757b907693564aa176e420f3a8072078cf31862679ec9a679e378721820ae1fb5b3bb2553d5c0244205199d97ab

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\libEGL.dll

MD5 352e1ef0483c2492c5f0bf695e2ebfa7
SHA1 41be96d978e45cd0594538fe1c2faa11d6456b14
SHA256 436361c2668a445f23c7782539f5b7fd2a33beed438009d26d372e0b639f25fc
SHA512 03880cddf3810425171d0392c914e3f050c04275ea9b881890dff5c4a35f443765521a5c075d6b0a09a6c467f8b2e050889341d2e13c34908b74072599ba938c

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\resources.pak

MD5 4f1e4a359a66a46eb55313e04090e102
SHA1 e3f971830be08bf10638ec136e7b9a7990abe4d2
SHA256 50dfd64b881b8ff256c7fc4d3743389e6e2f95cf6da453629557812ddc0f7004
SHA512 7762848e8404dacce11a83195ab4e8d1cf391d9916f27e165ee257a6ba7d6a73fc12c855be74c734eacc897cf64655b949557ea12275f3d488cc3680d7fb5e7e

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\LICENSES.chromium.html

MD5 e400cd908b8fb7c13985e2f5cc7a7044
SHA1 bbafebdf5b067a7d7da130025851eaa52ec3c9d7
SHA256 ee3b1ab8794c749673ce9bd2dd302f12d69f0a1a4adfe40a64247746cc311829
SHA512 e7ca440f0e042d7fcfa99367426bf19899a2b227c6d7b6e2c25d4f1a40113250f21ebeaaf91067d8569dfbad1415d4fe3e5626d7254722f2778497fcb22e5d6e

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\v8_context_snapshot.bin

MD5 264e3b574e4f86b1fc47b2427402e779
SHA1 4a4f9e7c3da262713e4cf7af6ac51822c56b5ef3
SHA256 ed559c6e81b6003b2057e5c1b0bdb5b28ca094b895ca86c69fe11c5c9e014f06
SHA512 144365d0fb83576aaa02ea6ecea51d7ba2cacb044eea568a08f65b98a83d3e7d7e693738e065e22f94bfd1165d0ea93a749dd1325d829257a9bb6607a9a927db

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\snapshot_blob.bin

MD5 40a3c2200e4126e8c47a7802532c9236
SHA1 212a4686dea5a467b7b6fa54397e42122b235f1e
SHA256 94aa518fc892ee9a0f1eb5fe35b60123ee61a5f848864b00519b96d8d5d9786d
SHA512 fa1a943822abe3737587d520654078117cae86c58fefe6dd6a09f4a08c09293e9547a0ad79c52f8638dfbb1c496df3d0e828ce414176c8fbb77113be41212866

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\vulkan-1.dll

MD5 5e162bcda79c966d63a15e49c8bf8c13
SHA1 2f2c77e120b66a34648c22fa23d525b1ead0df67
SHA256 25d6b4ef0a74f1a04476dc2944def16d4ca2b015277add2ebcfbc1c3df13793c
SHA512 10a89f1618b9aa96fd524f92b29506045cac8f00ee846e950591d59f6fb49a79268044424e2497e3c75815c140a458c9fb27e781a2fe1949f5eed408abe3326d

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\vk_swiftshader.dll

MD5 f47f162198eb9a87c9cdb957523be637
SHA1 10634fb95a514b1729a00a03cd7dc88b95d83f9f
SHA256 3bd00334be2469806d3f286eb4599d897cf0fba9cf3f3c2b65ad2d2041561159
SHA512 816132e0071ba56a297f7bab51a6a3b58be3a0b51e2f4c425ac5a8ef2adfb650c5886ba80e5690a3c338f4863eabb72bf9194b7003db245fe268c5e6c0792c62

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\af.pak

MD5 d16ef573959cf5cf0a6eea20136b9c0b
SHA1 e3384ae3ee92e1dae47a48e45589372e940aab33
SHA256 73a8401e6dc17c4daf86b42c65b81359348f7e6b4d62d8637138e747bb3ff0ae
SHA512 064c2912f766f10ec042adf82709ac9582cb8430e3550690fc17343c380dcbabadc0084e08aa5f3eb6faf79a652d26e1fe2606625a180b7f47808df07a566933

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ca.pak

MD5 a0b45b122241cf0c11a081eefb9cb4c6
SHA1 91fd660a4688aaa70fee42e783b8b1863b4d11d7
SHA256 7d911cda51564500dd7a6de43a1e347869427c035b15fa25cad0526be9e055b1
SHA512 abcb3bcb96934189cdfd52528cd7c65ea870c9b997bf6349599b7064fe6f4bef0d34809f0f958e4d4e46486e7c0a41f86b5ed0a132bbf20743d41f3af64788b4

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\bn.pak

MD5 ff4f966849b4107535e41d037d9144c7
SHA1 3a973857b061914e8905bda7e8f2bdafa384588e
SHA256 2dc26dee345271f4606650912b0b7b5df68f621f2920864e0e36c1d1b22459b1
SHA512 98772f266f9553f77f91b11dc4589ec8a0930554e9e0b381bbacd8d23ce794c04f6fe821388a6e87cb14cb59c7522c18c06b1af11fc177c7e40ef71242adcba7

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\bg.pak

MD5 01dfb1a7815613fa0a5411235f45b27b
SHA1 3bf1ea5597ac77b26bd30caa1efea7cb4f7a1b19
SHA256 13d08d2c4972cd18bb8ea8a57587dad29684c2336f73282dd3284b0649377cf8
SHA512 5d8a65e5a17aa163fb679e003e1837ea96e515b105c9977029a5ca4854845289de5d65c0edfd473cb74410c5cacdb5b360f25a69776705fb05f48688d92680da

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ar.pak

MD5 14b15761cb9d4e1956812df8b42c2aea
SHA1 7c25580d892711b9eff1a3ace4e6699ea64e0706
SHA256 c8d405127b032587e6ae6426a35cb766139bae26170ca08d811354486ab667f8
SHA512 ec9a6e6e715c817726ad744fadca4d1af3015d95421774ccfe54d616225b7a17e862e086fe0aebb3a903d2ebfb27779cffcd713d3042ecdf9761c24c5a56cdcf

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\am.pak

MD5 39a396fce4d93f744b3c786d62d2686c
SHA1 7ec8176e652b666b6ab9fffb6cb9b7dcfdd1a2a2
SHA256 0b1d326be9dabcda8e37740017383f2d8f1bec7a8fdb1f11ebe538c3632453fd
SHA512 798063b51f745fc2c9e7f852f72ce55939ed41305d070d1844c790755f7ab42a6830406ba2485237d37a0c46b804512e7dc37c65b7f03249c28741a4f706017a

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\cs.pak

MD5 1101c784521a550b0561b363722086de
SHA1 838f2bfe3432b87b950a2ec5d9862d2f58fde3e5
SHA256 cc6ff937d1c9fec4634db4e2f6c0718d2606fe2d5d25addf1314e110c5b78772
SHA512 eca3ce2075d3c920116c9e34957631e0617a869467bb76b09873ae96f7803f20032a6dd0a0f785f9e59dcfce3a4ccecdab2d445a860bee20d42e140b45e74089

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\es.pak

MD5 29cbdcc2168f1bb29532122c39e67a1a
SHA1 f086c79d60daf2b0a7df91916387efa461795dcb
SHA256 232f41ab5996c917687276e82c177de208b36e77aa834bb5d94d6a331f4180fe
SHA512 b603edf2a18f5893ab482b0c34e4126f824fbdd1b669927d7bc30d68e2e5bdf78d7d4b2aabdbe257987e8e19f440d9396a3683340b94c3fd844c70e34e93d8a8

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\es-419.pak

MD5 c8f488b85c17431360e531aa507be979
SHA1 bea5d66bdcc05869a0389e051a9217fd49e48fcd
SHA256 536339d99dee6e8c01f018d4700ddd92ce063f765766a48073aeb256669680c1
SHA512 1d7f9f84a8d7c055bf705c71efaea817f1b9dedd5ba314fec6ce5324f578d3130b5541bb52fa55db9f6e46efa8e152d50199a61c7e2466844a4414df65d61c22

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\en-US.pak

MD5 c9c2abcb04e1ad5f1a20244da8d595a8
SHA1 89ca81da21900074a5ccdcdc852768277b2b620b
SHA256 0364c73f320e441b03cb2afcaaca3ffbfac51a3559dcd0ff99a1accf82c7f762
SHA512 96bbf21174f56a111a2fc6ec024ab2f143945306797e77d773367a7fad42b7828ebb7b08d0dab76858d9fa340bf3205be403bc53df9e5e4e390058c94a751ffd

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\en-GB.pak

MD5 745918a5a74c7b6f4818a8bb8813f456
SHA1 031f50286d003844425ddac557e13e2ea4554bc2
SHA256 91bdbf5f1f6bcbcaf16e47865f72ec97d72c74174fb929f089d14c00989f91f4
SHA512 5a1eb0231352705bab527ab27543612d75cb00c522620828ce2a0fdb0b47be9daa2dd7a192f8b4bf299007c5af1d9515f900b9586ba44dd2bd9f4cd4436aa681

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\el.pak

MD5 2b391b2b35f7e096f696faf5dc093366
SHA1 1409134a46fcb84457a0e332edde98f7666246bd
SHA256 f1fe39af50f4bfe9edcea3af6c132e87d464d7277fb491ed95d7189b3157d20d
SHA512 aa640ca41dc9d4f60392b61bbead215345abd32369b0de90ed1d7ca2ff7a838d04689d538789a1adc0324fe4539c34db26b6c245155e51fb0308af13b60bfdae

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\de.pak

MD5 7ccdc41a3dbdf89058d71629225664ae
SHA1 e15c35b18685d9573349ff4247733b5f5ada8717
SHA256 163ea4c2cf67edd0526a8e18d3810872e92a1d4e17b5cf4f04107fda5967b0c9
SHA512 13b20b0db02a0a7480c56c79304ef594353507e1a30da0130b73aa8e9ec7636f306315a6f40729b10dc725f936642d2e2b282ed3040a079a6f25a7f9f7f1ae28

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\da.pak

MD5 5b033c206820ace5eb4c6f82aed34a5d
SHA1 28017cfc13259273022059f02564ffc99dcd75a4
SHA256 1a51de04cb205c708520f1b013447f1a89f0b1330dbce6d1e71cf355319d1108
SHA512 e423069f7a895179ea17be5774284e9e2e27f02c40bac7d7211cab77348800622796f04c3e6618905364e189ca5ec772ed7dbd285872777d163d3ebec08a64d4

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\hi.pak

MD5 cd91036827739441e4cc849aa30706d6
SHA1 cc8e4c53e18db16876f855c2377f3cf0e2abf95a
SHA256 0936587aa072339f8dc347506e5553159319a686010ca1912bed1d830e107c6e
SHA512 553773bdc11be94f495b88e0587d572455ef68c182d51c9e1ae0e3aa23744f836996a446ed136afc562eb9a110e435b494d5955d2792a364a619111e7b3550e6

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\he.pak

MD5 9fccb330d8b07ca54661407cf737d847
SHA1 2c6f52801b66aac7d08acb60d9736f9149e48ae5
SHA256 bb06d364a91b8641724254822b2eec5d0675e262a4cbf93b92494f601807dbef
SHA512 0cbf36643cc7b1d85dc7cb7825bc816a8538d0cc50b137dd27d5a9703324ae7ff271d38dc0cd6e4a99c6b391070690b90eb8ddb1cc511bc8d84d49a32d36c34c

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\gu.pak

MD5 02bfa1114fd5b75261c24d6c0e6441f7
SHA1 d48b80339405cb8c8ec7a19b688e8d544938c4c7
SHA256 bbb17268412fb3e13584ca4dc90a94f984177d3c97ee89af2a57324709f8ed1d
SHA512 751b91d381c882a5dc0c0ee6313cf3e7ef51b4d369330a169cf9625de99e6019233109e815fc474fae44d79235940ba2ce68af7033f4c4c994e2774bbd8105be

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\fr.pak

MD5 a1de4ad3d9b7aa8f122ba00cb983e49c
SHA1 323d6e1b4ed75f9406bb8488d7ffc7e12fa96886
SHA256 a69f52162f6081a06f835ede10818218df6e211f00d0ef24561e6221f4696e61
SHA512 542f0818ea4517fdea929f3d4938f7de75e2a5e6d872607e548f87de7e9cd0737fab3f5e82ab7895f44e809279d81c490999ed055acbddafe84f85e60ce2e23b

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\fil.pak

MD5 8ce446cac9221f07f912be59534d86ec
SHA1 15cd1b902b26abbe665fed518575748483a9c3e4
SHA256 b6ce37b1aeb4ca17a7f78ebc8f97c2807f588dfc4ad3e0639005c626b5c9b939
SHA512 20be2b5c7e8fca897109b1dc8219931eaaa1c8296b1d26dcc7f9058168fef371d7955fb0f6c5693399b83fa81d27369efac8c3742059eea2333bd66d20b8d0d8

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\fi.pak

MD5 1cbfa553a5b1de642ea4c248dfe1edba
SHA1 5de05b3c11fdd59ff5064a153a6dcbda33350971
SHA256 8f3e8ec0fbb471b45db65a77dc1013e3363f387d3d0c6a458c90f371907d0085
SHA512 ea3b99be7da893be8c3b228d1d3d7b644a1f5425b5380dc3e0ae0ba1bd29cf39dabe73819bcc4fa67f10a488f018e9fa2328995cb78f40ae8fdb66aa514188aa

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\fa.pak

MD5 f7da0d07b54698bf8a213d0ccf1942c0
SHA1 d64fff18274ebe71a4aaa4754f9bb99d616fa000
SHA256 33bdd6eb52f648d475306f35b6103500b864672cbf39cc0fbd8c4ac84c997dec
SHA512 ce7a7b3df4c814a26e3fd9fddafc01ac1a4b2a87ef2d2893db5d0edf8e5b8bfe34afb6e91ff94306248361d57c6b3bd63d116635fb756aab74c4aed38f31c88f

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\et.pak

MD5 5b169234895d929930140b4869a0b81a
SHA1 f58ba50d1e19ce191a0f8117f3e70f7f3dcb7362
SHA256 c465da80b14981bdbc687b7c37bf70d2bd4b8e03293c04ae5410f84c91ef980e
SHA512 c4297e272b5c04a0ee0956b873d5246591bee98c3b340e72202f3448381c691096a5bc540fdbcf61fb40d6a69270afa7198c1f0ccf3b2e84cabc906e23eb022c

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\kn.pak

MD5 56c5f63f439cc962b815bbc4f3f12c32
SHA1 c96248cafd869fef11bc37aefb1382d0f60a7855
SHA256 14b332541c2cce0835202372f8cc822aef30b3575b651c96219a88b8d1381648
SHA512 9210759d8e73266381fbf04280aad0bc5006f315ce3fca74fe304b3261af0ba399210f0b84620230d6aa0c667e60c0a6d9e67681fdfac401338e9331475bb7f6

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ja.pak

MD5 74e2430cf18db7ecae2a9b1feeb049b5
SHA1 362a5f3e4d8a79b9d0b041d62a8a5233e20fb208
SHA256 1a726c500b5b3efdbc7b9e6626765dcb8957005f9c072c09d1f517587d6b673a
SHA512 324d0ba770c09cccac4c59e0e0605846a4e18f32cc79f14fbd4e5b0172f439ef8dee538f686458b3a07e5e8b4528ef67aa5d339ae25f7c601c9a302caa7970f9

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\it.pak

MD5 4e7ab6a5d407bf4d3f96671d65e467f9
SHA1 67f43053ccd167f2ce6d945202f64df29ee1ac49
SHA256 20408c09d9447f44aa920f2529d231072db8bb9c0c8b8fafa2db733561eb6964
SHA512 bf493e1a1c0898f7a54f8a5278dc0ca345e9937efe269b1bd3a3bc90645d767070ec9c117df001f8c3b51b4a383c30f025daf79606ac1840fcc5878ad4c53624

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\id.pak

MD5 3b5e08406059d1a76566e9a5d4c9b15a
SHA1 6bf45f2647e959ec1b545763180e8f29961ab3e1
SHA256 60409d8b785dd057e3495190b18e6d6d235d8313555341cba5f64327e3d8c3aa
SHA512 6c4150c064edf6ed0b83b216ce62134bbab12137e6b45749dad08d1d1734b3365309414900615137c6acdd12250add5c69a222daa7984a94ee850aaa55af1b8f

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\hu.pak

MD5 51b14b96d1b9fa99ed849347a8954133
SHA1 5259b749576a9612e429a665dfc8bf47651c39ea
SHA256 70d4a0724a2e0e80ec047e7683eec7715c0fb5f88795cc97a63e4c2ee2237800
SHA512 b68d4bc792f29df210602a557d0b3333a95e30cd03a0a4cb5f537c9c51da9937119391f2a359c03fb874c1f540c23f44bef121e45f048f32b1db06d67a0bad1b

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\hr.pak

MD5 ef62a50cc098afcf3fab69c7502219e9
SHA1 db474cf332c90de660fc575ef897d5389b65784c
SHA256 07effa557c8bc822626c05a4d299296f88d3da0654248c326d796f7c2de3ec64
SHA512 7ae6f40c7bf404532df0bc2ffa449e0d99debc2b9816450ed0d015b1634dd96cd5650ab6af5a6d44d52d0e3c9c81836ee350210c4f8a13be6cc0cb796a630350

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\lv.pak

MD5 335158efe454819a0dc8de0edb0f0e90
SHA1 85871f85f626db1fc597ef24c79c84115a66c17e
SHA256 113073cf60ae3d2bcf8a61df655762e34ba28e4b35b97de33c18e13f959d76ff
SHA512 f81733bca3fa65c789630b55c4f414a8541e71c4e1aba56bdb9d231ce189677b3bff4dc57c92fbe1cbc88f1f2f7fbf1a7e4319a8918c50409fcba958d743ccbc

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ms.pak

MD5 3d0dc94a638f98d9bf3c0f60f89a0c95
SHA1 a979b04c65832d908305fb0406cb0653271ad744
SHA256 a9f9ae23a3bc2ac919c5b46d16b7e1f3bff73698d2626260196210e101d119c2
SHA512 6d687f1eb9a7fda3791295487063393b8f0a7409b55461b185aaf106c596229de6988114230625d6504b869d25d7a624bc3b90d66a0bdf561cb05a57d5b87c15

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\nb.pak

MD5 9c18dfa9e69c1d7810132800d084136c
SHA1 bbaa9576e1b012df33d79a5dc7776c00e67295e4
SHA256 4f3babcbec0d138654ec59fd8ab5fd58da2273237a587928b9687928c7ca10ff
SHA512 a82b1e340a25a3858906ded73624bd0be4b3ccd1f5728560480b4a4e3a78529f5a178d20cf7d95fd55ded7ca4fa95a5fff87d89f0520ea08b54e7b99c9057d6b

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\mr.pak

MD5 eafb18d633064d0f02a3eff3eff9aadd
SHA1 a8846e473014be80125630f1c5b51366220ff018
SHA256 fcb7c4aeed28ae4d16fa7b82d9571165aab0fdd46eb65d3ab29007231630ccef
SHA512 d332a4b7f4cb1583a5bf5ce08fdb46661a5bccbf0a66f7f5ab6ce04367e9bc589588dcb32f443695a3ab129dc50d2962ed4c138f97858639d4ea37c117e23495

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ml.pak

MD5 1030c08ffbbe7366ce5b7d55bc8ecc0f
SHA1 b45b53c1e47a0051560c607874357130c499563d
SHA256 e1f97ce3011d9231f23fe033bdbb0905c173921b18402d362bfc35224ff67db7
SHA512 3b9127a0eec02f75f79c66f5f7845b65c4ebe2e6a33989c7686815ffe0651be47d42f55c2f32a67a221495a8bebf043d853df7b244a68f89390044210e52dd3d

C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\locales\lt.pak

MD5 49201fae17b715a15fa03c4d89dd2176
SHA1 7c559c174850de48c4a2837fe32c58f74d8150b3
SHA256 4a80792cb9a401ebfa7ec3212182b5024d651ca6a5ead8fc9809d0d3ad4803cd
SHA512 3016f721d77206e13e275e7eea1adc95d403feaccf595eacf933940485031e9aac0c29b6f47a9ff5f73b08c354b7b82c72193c83e1ff09d84cb5b9b72b708166

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ko.pak

MD5 a9b446bb79b0e5d0b4af4f7243b1f3e2
SHA1 fcf962506b32b34a6315ed61acdece33df3dbf23
SHA256 507fc8d2a468456f2842b65a111fc0c74fe1f56d5f5ac0d6e743aef186b43b2f
SHA512 e7f281206bd481427a75b581f8b2a435eb8a29bd8b5586a8db78605b1c1bbc20dc1f4b2ff92d04c62fb509dc6e1e062d1d584c195e386c5c2ffda0f764276aa6

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ta.pak

MD5 2c0a9cc4a7c775ff13a6888234265cab
SHA1 497bde42737667fc833bbb9d8a9edaf014d99957
SHA256 1dd55659ef21082b9d58bed50f387c0e1fc0f28d0ede52251b9ada25ed2a657f
SHA512 b862221cf17d3f2ca0495a8a3e1f630ab915fd9b2a46ac16c71deffee9a6f71264a8550233781474d60cc6001a48c7c658c77d4e0dbd5b543e768928119d2f0f

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sw.pak

MD5 55241312a3aaba14a6b19a9012ca25b8
SHA1 69fadf0817faec3bc6b018f0af5f63378ade0939
SHA256 722c86bd857a93ae06ca0b7cfe2cc04237a7ed5a52586cab7246336c802abe37
SHA512 612f815c25e9f593d1f1c4de8e9016dce048cfe90f21319c4cdbb5772580cb8c71229e9ddba60852cd0bec80a07a783ace24f873d90dc3323e5fdcc44905f2c7

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\th.pak

MD5 84ad3f888c0ec307bb7b8c278cd36757
SHA1 948a5f8b43d059280d5374ca6d66e8dfc6a76d49
SHA256 56665860fe6577fbe00543a47a15e10eceae83458815f2989d179e42af07f81b
SHA512 7001c0607df927145e40a605e2b97914d02712d11e09ca20339cb1aefb042a1f853fd06e78b76f6dc6f19b6df837bca12946a3470c6c064ca767af1db57042e5

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\te.pak

MD5 5f9b7a945638b88e75a3175a7923119d
SHA1 6af614f2cbd72da2224f48a203a6430a623fc7ed
SHA256 3b476d2ce7c72c3a10170808020dc3f1a87309f9f725b08217c4716b28d10888
SHA512 3b66c9152ec032d6f2372ae5075cbfe7d0fb398c4bf173a7f8c76d91d9eaa816e6f839b90884533b46a9224e9fb52c4d439b3d1907885b8e9f80c5c55a852b65

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sv.pak

MD5 06c878c1538813e5938d087770058b44
SHA1 c8ab9b516b8470bdee86483151ae76368646bffc
SHA256 90dc45426bc1302aa05261f136881ddf038272e9ac315297aa8e5dae2b31109b
SHA512 6ddf615bcf0a8c62221233687bae1eeda5cfd749aa8acc179d6650987289201b405edd453fc181a1d250eba9bbdf61ea28fb7c694539fae3d320bfdea56665cc

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sr.pak

MD5 48abf758a49e2e8aab013f2bf56091c0
SHA1 ca909bc28b03bf959ac32e218a318289e0badbf0
SHA256 b4cf2d19b5e443b57ca9d1189880458a7cacfe1c8b231265557a3fb58f597617
SHA512 22d65df1cd35a8127296420a699f26edf55813fd6a970050dc9b2b051aaf7da2cf2fe6314a94977587021c02aa7d8b42541e1d08d5940fb7e1af127e87268c68

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sl.pak

MD5 e76e473c419c25768b08a95a2822918f
SHA1 0fa7e2fcabb03a8788f50f1d4b4eb383c833e9ba
SHA256 fcd27a9f5cb4b4be373da7076a8232006ebe020999fdf90d20745f16cd7ef223
SHA512 e39ae0acbb7d148d6ade676d92e83fa9fb433230bae4339c31693a538198bf0679adef51883b96f8dfbcc8593a982544c64a2b265897f35a693183b27070ea5b

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sk.pak

MD5 78bc785a75ee512391a9cb462a771c09
SHA1 229d39e017174dc0a8cefcfcc72b0feca94d6208
SHA256 ec15c82956ebddb7b246c78045ad414ed34ca97d890a915070e252c8715096b0
SHA512 96556f6072e69351e1bbce06bbf896b1ad53060c7cbaf7928eebbe0f610f5e8778b2b8b97a5a268b7942a1c8d1adc6bea0403383a2a5bb99049437e95d575ea0

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ru.pak

MD5 91379a583d22fa9343ed466c261366ff
SHA1 61e8c39235945c4f38807b14ac74da7d3257759a
SHA256 0d4d0b8052519848abd182c44dfbf444a77a0c6994965c4a3001f0a3a4d1459e
SHA512 dde26b59a1e5f94d5b245f47399d7a9d3db8d247037331a471c39b1d7e79e236c5a0732fea4c53b843d8eaff1f54ca155a816a193b7baa870fc458a5aadf76be

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ro.pak

MD5 7056fc61de4a16c7f4f5bf44d2e87f8a
SHA1 99d16dcb3b1aefc472601439f630e1244b1aa277
SHA256 b7ba9435d82f6bedd7005b6e868ee86f0bb6c4d7b312fe5f5d4afbd440ad5b85
SHA512 529152da39f7ade6713206fa9f767b35b9bf03816387579522eea78ac7d0e150bad557fcdbef51e76d52e39f61a0b4e54ff6a3b592eb7e34fafdb98afe460f7c

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\pt-PT.pak

MD5 002d5b37e68a0725dd7d89fe3fc7ec48
SHA1 545de8047d3f89150516b95031965adc8f17df68
SHA256 1fadff356a7e89a8ff2af3ddf84f70fd0ce69525c7787f8adae10beed9d76d4e
SHA512 abad6cbb30a958bb84a521a66636af4221a9f63774122d3ac3b552503930ad83d343ec4c8109c8031cab17c546ef7549aa0f87746e39a80f6758fad28ecee129

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\pt-BR.pak

MD5 de8ff9456ba9ea999d0d1bc9b831e7ce
SHA1 1d67c6dd97fcf221c71137cc8b1946368807aba8
SHA256 b32fe8f602ec9800d59806e097e369fd065d8fbf473da40fd29289493489930c
SHA512 5a3a48ddad801382ec9065c6160698dd746aae810374c2b772d521a1764e7e0fd2c28c5dd1cdccb50834d699ee19441713fe10a91dddead46ba0cff3edbd6984

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\pl.pak

MD5 b44fcf9fdc4ec7bb5e72cae30aa15c01
SHA1 daaae4aa7987bcce299995feea5c54f2d77b61d4
SHA256 7f1a8392fe3aff4e6bb4bacbc1f4b395f08ecafda9f81e36b41b77fb4ab0bc76
SHA512 52b46d7affac4949fa19841d26d2f4bf877e36cbda4b75f3ff289a7abe9a80c2a014b1ae23d3079f4d31ed5fa76c320103733284a2c13d99a451810407325674

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\nl.pak

MD5 5cde06a63c9dc07fdbb0fdc94e403d00
SHA1 11be56054908f1f9cd56ab77692fe3717ee91ee8
SHA256 3b9ed5ed0dd07d8fa67412a046ab085137542c156876dbfe6f83376571af91a3
SHA512 2716496dcbf76cc2dece938103813a8dbc17d4c795b4e3459a572de4f62f9ac0e1788de3a21f5fb287ad364decbd541a5e3bddd406e130d2a9c72118ccee5390

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\zh-TW.pak

MD5 960e99a171c4ed4b6d787027ba88774d
SHA1 e3869aff0c52841c9df718133e7c4be2977de7fb
SHA256 e42640f5309add2ea7fd5a4db503b93e479ef14807710a06d7e53a0f261da8e6
SHA512 4e51d787aff8f425d101882bd70e71b88b253f2ca61ed54dd7ff77c7e3a1d6570b270f4eb91f2d03869ea4537d09e141f3e32ea3a27537295ec698bf26305cbf

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\zh-CN.pak

MD5 07b6c43d87dbf93ac8abe6837f3c2103
SHA1 79e033179b445609b3f1756c3f4184d5efacf1c2
SHA256 7f85b35938fadca91bfd8f92ca53613718e375ef010c340947dd27a4ff66594c
SHA512 38ef8f8a8a950b11c18eb7a40da721b888ef792a49e1371dc8c1eb22058a6791f95bf9b25df4ba190a7aa6cb62ce38b0bfaea83c71b62cde6980d12cf9da53f9

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\vi.pak

MD5 4c5c09cb7e6eb120c8019fe94e1ac716
SHA1 f018e7f095605e21db24944b828cc3580cba863f
SHA256 e7319ca18eba379772954132493bbabb448d4e97d755b85360ed337216b48800
SHA512 d171ee83cf02a8904290a74df1224556887e41333b8a01fbd95f0cacc88d230195fbfb6f99f9e02573d4864b3c95b570a77c2a0b1e19324d2599925e40684807

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ur.pak

MD5 88eef2798dee8a361c3ea9bafaa02a35
SHA1 6f8d4ce422336ca5048ef35d6ece360a9b416d8a
SHA256 91318006c880e427417a2b2fff81fd451769a5536fa16d1dc185972137bc2d6a
SHA512 db36b58186f165ff3f746ac483f75b6fed596fad9b3f335e86b374b359e563407acf58ac7cded9420e4fcb91f31eebc8a91c7777ea59bafced8cff2f1c0e9a53

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\uk.pak

MD5 64aa9344abd9a32f10d6c05a58eda4eb
SHA1 3286ee43f36e2232677b4573e8b4a3303c7df048
SHA256 ca20af5982ae706f5029467901d7d66f90b261f03c7d240d0d1ab2fca2b50a7b
SHA512 dd768b314da50b8ba5a006a4e56d70044c1af79960834722894d930f5347194ae7f9f5697bc4cd0790a79341635cb1df8c74ff45f74d1736049161af5b163efb

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\tr.pak

MD5 0aedf5c2f6f4f49074a2adea454df4c9
SHA1 a48d9d8461e61170257897766dbd6906e754a0c3
SHA256 3f4658b3811b36f5cad794e48e6507335abfe78b0bfa0c80d1ef9c5d7bb410d0
SHA512 e359e446330fc154c16e34a7335174f372bce701faf85de8a5f4b432ce3e10c69f42c93b7182deac89bb4d29750d0dd525b6dcd74a5b7bd724f544d14ba44a79

\Users\Admin\AppData\Local\Temp\nsx730E.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\resources\app.asar

MD5 0c4b0be5f0b59114a849c658239fefd9
SHA1 b995edf111146d45684cf7a7474c02930a150f10
SHA256 7ffea154a68c15c9b8ced3f3b0b1098b54230d2e2df25a7ed04acaeb664c129f
SHA512 48acdca36ed6672192d5bf29beefd00a2e880ab82d30153f58717d8141e45925ee276672ba228df30e5fd4d9cfa5f17efdaf82bb0fef54bac7ef38cd850259ff

\Users\Admin\AppData\Local\Temp\1a09d8db-c2eb-48d0-9936-76d90ac5570d.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

\Users\Admin\AppData\Local\Temp\690034fd-e829-4a9b-9758-c02f8d94b47c.tmp.node

MD5 beb8d911d40e8fe94770d9d341e0de11
SHA1 d24d31e5b44a4a80969e2a669fb9b0ed42cfd479
SHA256 ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7
SHA512 079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:43

Platform

win10-20240404-en

Max time kernel

1800s

Max time network

1788s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 768 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2444 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2004 --field-trial-handle=2008,i,15685344764449566129,10627128631010484435,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=2176 --field-trial-handle=2008,i,15685344764449566129,10627128631010484435,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1064 --field-trial-handle=2008,i,15685344764449566129,10627128631010484435,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 wavebysudryez.fr udp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 8.8.8.8:53 98.85.21.104.in-addr.arpa udp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 104.21.85.98:443 wavebysudryez.fr tcp
US 8.8.8.8:53 www.spotify.com udp
US 35.186.224.25:443 www.spotify.com tcp
US 8.8.8.8:53 www.myexternalip.com udp
US 34.117.118.44:443 www.myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 25.224.186.35.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\1ab9abb2-615f-4671-af4f-5e86d2cee448.tmp.node

MD5 beb8d911d40e8fe94770d9d341e0de11
SHA1 d24d31e5b44a4a80969e2a669fb9b0ed42cfd479
SHA256 ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7
SHA512 079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

\Users\Admin\AppData\Local\Temp\c73fda09-f51b-4478-b587-53d827f28f84.tmp.node

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:44

Platform

win10-20240404-en

Max time kernel

363s

Max time network

1593s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:44

Platform

win10-20240404-en

Max time kernel

311s

Max time network

1608s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:45

Platform

win10-20240404-en

Max time kernel

310s

Max time network

1591s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.d.1.a.1.a.6.8.f.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:45

Platform

win10-20240404-en

Max time kernel

507s

Max time network

1599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:45

Platform

win10-20240404-en

Max time kernel

309s

Max time network

1578s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:45

Platform

win10-20240404-en

Max time kernel

314s

Max time network

1576s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-09 23:43

Reported

2024-05-10 00:45

Platform

win10-20240404-en

Max time kernel

310s

Max time network

1609s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.f.f.f.d.b.b.8.0.9.8.2.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A