Analysis Overview
SHA256
4849941ec88092a451d69a63a755e6993d739268fee0c92061a6bc95ba7a6483
Threat Level: Known bad
The file CrimsonSetup.exe was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 23:45
Signatures
Privateloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:43
Platform
win10-20240404-en
Max time kernel
315s
Max time network
1588s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2184 wrote to memory of 1636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 1636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 1636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:43
Platform
win10-20240404-en
Max time kernel
1800s
Max time network
1605s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F80A17D9-57CE-4D41-8D22-63C06AB6B5D5} = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 90ac43f06ea2da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\MrtCache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "421462133" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 90ac43f06ea2da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fcd963ec6ea2da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 738d36ec6ea2da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1ba049ec6ea2da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4284 wrote to memory of 2360 | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe |
| PID 4284 wrote to memory of 2360 | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe |
| PID 4284 wrote to memory of 2360 | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe |
| PID 4284 wrote to memory of 2360 | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe |
Processes
C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/1308-16-0x000001CBAAD20000-0x000001CBAAD30000-memory.dmp
memory/1308-0-0x000001CBAAC20000-0x000001CBAAC30000-memory.dmp
memory/1308-35-0x000001CBA80B0000-0x000001CBA80B2000-memory.dmp
memory/2184-45-0x000001CB63A00000-0x000001CB63B00000-memory.dmp
memory/2360-50-0x000001B23A200000-0x000001B23A300000-memory.dmp
memory/2360-58-0x000001B24B090000-0x000001B24B190000-memory.dmp
memory/2360-60-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-72-0x000001B24B300000-0x000001B24B400000-memory.dmp
memory/2360-69-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-68-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-66-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-65-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-64-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-63-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-62-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-61-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-59-0x000001B24B090000-0x000001B24B190000-memory.dmp
memory/2360-67-0x000001B24A740000-0x000001B24A840000-memory.dmp
memory/2360-57-0x000001B24B090000-0x000001B24B190000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml
| MD5 | d4fc49dc14f63895d997fa4940f24378 |
| SHA1 | 3efb1437a7c5e46034147cbbc8db017c69d02c31 |
| SHA256 | 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1 |
| SHA512 | cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\AKM4261H\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:45
Platform
win10-20240404-en
Max time kernel
865s
Max time network
1600s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:43
Platform
win10-20240404-en
Max time kernel
314s
Max time network
1598s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4124 wrote to memory of 4044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4124 wrote to memory of 4044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4124 wrote to memory of 4044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 143.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:42
Platform
win10-20240404-en
Max time kernel
1800s
Max time network
1792s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CrimsonSetup.exe
"C:\Users\Admin\AppData\Local\Temp\CrimsonSetup.exe"
C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1844 --field-trial-handle=1848,i,3813452661573221480,11197652481155484402,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=2176 --field-trial-handle=1848,i,3813452661573221480,11197652481155484402,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2408 --field-trial-handle=1848,i,3813452661573221480,11197652481155484402,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wavebysudryez.fr | udp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 8.8.8.8:53 | 98.85.21.104.in-addr.arpa | udp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 8.8.8.8:53 | www.spotify.com | udp |
| US | 35.186.224.25:443 | www.spotify.com | tcp |
| US | 8.8.8.8:53 | www.myexternalip.com | udp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| US | 8.8.8.8:53 | 25.224.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
\Users\Admin\AppData\Local\Temp\nsx730E.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nsx730E.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\chrome_100_percent.pak
| MD5 | e4cbb48c438622a4298c7bdd75cc04f6 |
| SHA1 | 6f756d31ef95fd745ba0e9c22aadb506f3a78471 |
| SHA256 | 24d92bbeb63d06b01010fe230c1e3a31e667a159be7e570a8efe68f83ed9ad40 |
| SHA512 | 8d3ea1b5ca74c20a336eaa29630fd76ecd32f5a56bb66e8cef2bce0fa19024ea917562fd31365081f7027dde9c8464742b833d08c8f41fdddc5bd1a74b9bc766 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\chrome_200_percent.pak
| MD5 | 99b95d59d6817b46e9572e3354c97317 |
| SHA1 | 6809db4ca8e10edd316261a3490d5fc657372c12 |
| SHA256 | 55d873a9f3ac69bbf6eb6940443df8331ebd7aa57138681d615f3b89902447e7 |
| SHA512 | 3071cfeb74d5058c4b7c01bfe3c6717d9bb426f3354c4d8a35bd3e16e15cde2f2c48238cb6382b0703b1cc257d87fcecfb84fbf4f597f58e64463ceede4366dd |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\ffmpeg.dll
| MD5 | 98b4dac376d5980313bc7cddc38e5168 |
| SHA1 | 940306c8f1ca9946d987be2bcb586c85b0d61999 |
| SHA256 | 5795634e5f03fa1375b8a7e9655966beadbbe8681afd3c6996aa0f47959d053b |
| SHA512 | 234f9311fa92b5d250f970f59d837edd0373dffc8c5b44dc7a96a07b6e1b386264e3c84d7259fed9df1491d17113685c6039695f2edea3c931bc9a9f227c4f7f |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\icudtl.dat
| MD5 | 62880b7d351a9f547b62b8da6c97ce25 |
| SHA1 | 057f11003013cfb3f1c63e6bdd4f2f9949ff0104 |
| SHA256 | 7c40c811d30d459dbf04a04c141b60eb4247cd58a008fb836605317df665748f |
| SHA512 | 0d6f83175a91d90f4cc3ec4d9071b7acd0cd8ebbcc592322e46fde2adb7198e035af62c45a11a622f2a908e26d4dd8b8d1af023e634a74d0824d02c791ba3c1a |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\libGLESv2.dll
| MD5 | 6907ce4456aaf2282780b6f560cf7ef4 |
| SHA1 | ce54371fd09c7858ccea9f449cb60fd3f5ff5196 |
| SHA256 | 555de6cbde1f9ace738c6e8b7edf35b96fc55045f09c175d6fec4bcfba206af3 |
| SHA512 | 0d28296201da2eda73c36f813382255ad8b54757b907693564aa176e420f3a8072078cf31862679ec9a679e378721820ae1fb5b3bb2553d5c0244205199d97ab |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\libEGL.dll
| MD5 | 352e1ef0483c2492c5f0bf695e2ebfa7 |
| SHA1 | 41be96d978e45cd0594538fe1c2faa11d6456b14 |
| SHA256 | 436361c2668a445f23c7782539f5b7fd2a33beed438009d26d372e0b639f25fc |
| SHA512 | 03880cddf3810425171d0392c914e3f050c04275ea9b881890dff5c4a35f443765521a5c075d6b0a09a6c467f8b2e050889341d2e13c34908b74072599ba938c |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\resources.pak
| MD5 | 4f1e4a359a66a46eb55313e04090e102 |
| SHA1 | e3f971830be08bf10638ec136e7b9a7990abe4d2 |
| SHA256 | 50dfd64b881b8ff256c7fc4d3743389e6e2f95cf6da453629557812ddc0f7004 |
| SHA512 | 7762848e8404dacce11a83195ab4e8d1cf391d9916f27e165ee257a6ba7d6a73fc12c855be74c734eacc897cf64655b949557ea12275f3d488cc3680d7fb5e7e |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\LICENSES.chromium.html
| MD5 | e400cd908b8fb7c13985e2f5cc7a7044 |
| SHA1 | bbafebdf5b067a7d7da130025851eaa52ec3c9d7 |
| SHA256 | ee3b1ab8794c749673ce9bd2dd302f12d69f0a1a4adfe40a64247746cc311829 |
| SHA512 | e7ca440f0e042d7fcfa99367426bf19899a2b227c6d7b6e2c25d4f1a40113250f21ebeaaf91067d8569dfbad1415d4fe3e5626d7254722f2778497fcb22e5d6e |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 264e3b574e4f86b1fc47b2427402e779 |
| SHA1 | 4a4f9e7c3da262713e4cf7af6ac51822c56b5ef3 |
| SHA256 | ed559c6e81b6003b2057e5c1b0bdb5b28ca094b895ca86c69fe11c5c9e014f06 |
| SHA512 | 144365d0fb83576aaa02ea6ecea51d7ba2cacb044eea568a08f65b98a83d3e7d7e693738e065e22f94bfd1165d0ea93a749dd1325d829257a9bb6607a9a927db |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\snapshot_blob.bin
| MD5 | 40a3c2200e4126e8c47a7802532c9236 |
| SHA1 | 212a4686dea5a467b7b6fa54397e42122b235f1e |
| SHA256 | 94aa518fc892ee9a0f1eb5fe35b60123ee61a5f848864b00519b96d8d5d9786d |
| SHA512 | fa1a943822abe3737587d520654078117cae86c58fefe6dd6a09f4a08c09293e9547a0ad79c52f8638dfbb1c496df3d0e828ce414176c8fbb77113be41212866 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\vulkan-1.dll
| MD5 | 5e162bcda79c966d63a15e49c8bf8c13 |
| SHA1 | 2f2c77e120b66a34648c22fa23d525b1ead0df67 |
| SHA256 | 25d6b4ef0a74f1a04476dc2944def16d4ca2b015277add2ebcfbc1c3df13793c |
| SHA512 | 10a89f1618b9aa96fd524f92b29506045cac8f00ee846e950591d59f6fb49a79268044424e2497e3c75815c140a458c9fb27e781a2fe1949f5eed408abe3326d |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\vk_swiftshader.dll
| MD5 | f47f162198eb9a87c9cdb957523be637 |
| SHA1 | 10634fb95a514b1729a00a03cd7dc88b95d83f9f |
| SHA256 | 3bd00334be2469806d3f286eb4599d897cf0fba9cf3f3c2b65ad2d2041561159 |
| SHA512 | 816132e0071ba56a297f7bab51a6a3b58be3a0b51e2f4c425ac5a8ef2adfb650c5886ba80e5690a3c338f4863eabb72bf9194b7003db245fe268c5e6c0792c62 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\af.pak
| MD5 | d16ef573959cf5cf0a6eea20136b9c0b |
| SHA1 | e3384ae3ee92e1dae47a48e45589372e940aab33 |
| SHA256 | 73a8401e6dc17c4daf86b42c65b81359348f7e6b4d62d8637138e747bb3ff0ae |
| SHA512 | 064c2912f766f10ec042adf82709ac9582cb8430e3550690fc17343c380dcbabadc0084e08aa5f3eb6faf79a652d26e1fe2606625a180b7f47808df07a566933 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ca.pak
| MD5 | a0b45b122241cf0c11a081eefb9cb4c6 |
| SHA1 | 91fd660a4688aaa70fee42e783b8b1863b4d11d7 |
| SHA256 | 7d911cda51564500dd7a6de43a1e347869427c035b15fa25cad0526be9e055b1 |
| SHA512 | abcb3bcb96934189cdfd52528cd7c65ea870c9b997bf6349599b7064fe6f4bef0d34809f0f958e4d4e46486e7c0a41f86b5ed0a132bbf20743d41f3af64788b4 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\bn.pak
| MD5 | ff4f966849b4107535e41d037d9144c7 |
| SHA1 | 3a973857b061914e8905bda7e8f2bdafa384588e |
| SHA256 | 2dc26dee345271f4606650912b0b7b5df68f621f2920864e0e36c1d1b22459b1 |
| SHA512 | 98772f266f9553f77f91b11dc4589ec8a0930554e9e0b381bbacd8d23ce794c04f6fe821388a6e87cb14cb59c7522c18c06b1af11fc177c7e40ef71242adcba7 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\bg.pak
| MD5 | 01dfb1a7815613fa0a5411235f45b27b |
| SHA1 | 3bf1ea5597ac77b26bd30caa1efea7cb4f7a1b19 |
| SHA256 | 13d08d2c4972cd18bb8ea8a57587dad29684c2336f73282dd3284b0649377cf8 |
| SHA512 | 5d8a65e5a17aa163fb679e003e1837ea96e515b105c9977029a5ca4854845289de5d65c0edfd473cb74410c5cacdb5b360f25a69776705fb05f48688d92680da |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ar.pak
| MD5 | 14b15761cb9d4e1956812df8b42c2aea |
| SHA1 | 7c25580d892711b9eff1a3ace4e6699ea64e0706 |
| SHA256 | c8d405127b032587e6ae6426a35cb766139bae26170ca08d811354486ab667f8 |
| SHA512 | ec9a6e6e715c817726ad744fadca4d1af3015d95421774ccfe54d616225b7a17e862e086fe0aebb3a903d2ebfb27779cffcd713d3042ecdf9761c24c5a56cdcf |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\am.pak
| MD5 | 39a396fce4d93f744b3c786d62d2686c |
| SHA1 | 7ec8176e652b666b6ab9fffb6cb9b7dcfdd1a2a2 |
| SHA256 | 0b1d326be9dabcda8e37740017383f2d8f1bec7a8fdb1f11ebe538c3632453fd |
| SHA512 | 798063b51f745fc2c9e7f852f72ce55939ed41305d070d1844c790755f7ab42a6830406ba2485237d37a0c46b804512e7dc37c65b7f03249c28741a4f706017a |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\cs.pak
| MD5 | 1101c784521a550b0561b363722086de |
| SHA1 | 838f2bfe3432b87b950a2ec5d9862d2f58fde3e5 |
| SHA256 | cc6ff937d1c9fec4634db4e2f6c0718d2606fe2d5d25addf1314e110c5b78772 |
| SHA512 | eca3ce2075d3c920116c9e34957631e0617a869467bb76b09873ae96f7803f20032a6dd0a0f785f9e59dcfce3a4ccecdab2d445a860bee20d42e140b45e74089 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\es.pak
| MD5 | 29cbdcc2168f1bb29532122c39e67a1a |
| SHA1 | f086c79d60daf2b0a7df91916387efa461795dcb |
| SHA256 | 232f41ab5996c917687276e82c177de208b36e77aa834bb5d94d6a331f4180fe |
| SHA512 | b603edf2a18f5893ab482b0c34e4126f824fbdd1b669927d7bc30d68e2e5bdf78d7d4b2aabdbe257987e8e19f440d9396a3683340b94c3fd844c70e34e93d8a8 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\es-419.pak
| MD5 | c8f488b85c17431360e531aa507be979 |
| SHA1 | bea5d66bdcc05869a0389e051a9217fd49e48fcd |
| SHA256 | 536339d99dee6e8c01f018d4700ddd92ce063f765766a48073aeb256669680c1 |
| SHA512 | 1d7f9f84a8d7c055bf705c71efaea817f1b9dedd5ba314fec6ce5324f578d3130b5541bb52fa55db9f6e46efa8e152d50199a61c7e2466844a4414df65d61c22 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\en-US.pak
| MD5 | c9c2abcb04e1ad5f1a20244da8d595a8 |
| SHA1 | 89ca81da21900074a5ccdcdc852768277b2b620b |
| SHA256 | 0364c73f320e441b03cb2afcaaca3ffbfac51a3559dcd0ff99a1accf82c7f762 |
| SHA512 | 96bbf21174f56a111a2fc6ec024ab2f143945306797e77d773367a7fad42b7828ebb7b08d0dab76858d9fa340bf3205be403bc53df9e5e4e390058c94a751ffd |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\en-GB.pak
| MD5 | 745918a5a74c7b6f4818a8bb8813f456 |
| SHA1 | 031f50286d003844425ddac557e13e2ea4554bc2 |
| SHA256 | 91bdbf5f1f6bcbcaf16e47865f72ec97d72c74174fb929f089d14c00989f91f4 |
| SHA512 | 5a1eb0231352705bab527ab27543612d75cb00c522620828ce2a0fdb0b47be9daa2dd7a192f8b4bf299007c5af1d9515f900b9586ba44dd2bd9f4cd4436aa681 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\el.pak
| MD5 | 2b391b2b35f7e096f696faf5dc093366 |
| SHA1 | 1409134a46fcb84457a0e332edde98f7666246bd |
| SHA256 | f1fe39af50f4bfe9edcea3af6c132e87d464d7277fb491ed95d7189b3157d20d |
| SHA512 | aa640ca41dc9d4f60392b61bbead215345abd32369b0de90ed1d7ca2ff7a838d04689d538789a1adc0324fe4539c34db26b6c245155e51fb0308af13b60bfdae |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\de.pak
| MD5 | 7ccdc41a3dbdf89058d71629225664ae |
| SHA1 | e15c35b18685d9573349ff4247733b5f5ada8717 |
| SHA256 | 163ea4c2cf67edd0526a8e18d3810872e92a1d4e17b5cf4f04107fda5967b0c9 |
| SHA512 | 13b20b0db02a0a7480c56c79304ef594353507e1a30da0130b73aa8e9ec7636f306315a6f40729b10dc725f936642d2e2b282ed3040a079a6f25a7f9f7f1ae28 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\da.pak
| MD5 | 5b033c206820ace5eb4c6f82aed34a5d |
| SHA1 | 28017cfc13259273022059f02564ffc99dcd75a4 |
| SHA256 | 1a51de04cb205c708520f1b013447f1a89f0b1330dbce6d1e71cf355319d1108 |
| SHA512 | e423069f7a895179ea17be5774284e9e2e27f02c40bac7d7211cab77348800622796f04c3e6618905364e189ca5ec772ed7dbd285872777d163d3ebec08a64d4 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\hi.pak
| MD5 | cd91036827739441e4cc849aa30706d6 |
| SHA1 | cc8e4c53e18db16876f855c2377f3cf0e2abf95a |
| SHA256 | 0936587aa072339f8dc347506e5553159319a686010ca1912bed1d830e107c6e |
| SHA512 | 553773bdc11be94f495b88e0587d572455ef68c182d51c9e1ae0e3aa23744f836996a446ed136afc562eb9a110e435b494d5955d2792a364a619111e7b3550e6 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\he.pak
| MD5 | 9fccb330d8b07ca54661407cf737d847 |
| SHA1 | 2c6f52801b66aac7d08acb60d9736f9149e48ae5 |
| SHA256 | bb06d364a91b8641724254822b2eec5d0675e262a4cbf93b92494f601807dbef |
| SHA512 | 0cbf36643cc7b1d85dc7cb7825bc816a8538d0cc50b137dd27d5a9703324ae7ff271d38dc0cd6e4a99c6b391070690b90eb8ddb1cc511bc8d84d49a32d36c34c |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\gu.pak
| MD5 | 02bfa1114fd5b75261c24d6c0e6441f7 |
| SHA1 | d48b80339405cb8c8ec7a19b688e8d544938c4c7 |
| SHA256 | bbb17268412fb3e13584ca4dc90a94f984177d3c97ee89af2a57324709f8ed1d |
| SHA512 | 751b91d381c882a5dc0c0ee6313cf3e7ef51b4d369330a169cf9625de99e6019233109e815fc474fae44d79235940ba2ce68af7033f4c4c994e2774bbd8105be |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\fr.pak
| MD5 | a1de4ad3d9b7aa8f122ba00cb983e49c |
| SHA1 | 323d6e1b4ed75f9406bb8488d7ffc7e12fa96886 |
| SHA256 | a69f52162f6081a06f835ede10818218df6e211f00d0ef24561e6221f4696e61 |
| SHA512 | 542f0818ea4517fdea929f3d4938f7de75e2a5e6d872607e548f87de7e9cd0737fab3f5e82ab7895f44e809279d81c490999ed055acbddafe84f85e60ce2e23b |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\fil.pak
| MD5 | 8ce446cac9221f07f912be59534d86ec |
| SHA1 | 15cd1b902b26abbe665fed518575748483a9c3e4 |
| SHA256 | b6ce37b1aeb4ca17a7f78ebc8f97c2807f588dfc4ad3e0639005c626b5c9b939 |
| SHA512 | 20be2b5c7e8fca897109b1dc8219931eaaa1c8296b1d26dcc7f9058168fef371d7955fb0f6c5693399b83fa81d27369efac8c3742059eea2333bd66d20b8d0d8 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\fi.pak
| MD5 | 1cbfa553a5b1de642ea4c248dfe1edba |
| SHA1 | 5de05b3c11fdd59ff5064a153a6dcbda33350971 |
| SHA256 | 8f3e8ec0fbb471b45db65a77dc1013e3363f387d3d0c6a458c90f371907d0085 |
| SHA512 | ea3b99be7da893be8c3b228d1d3d7b644a1f5425b5380dc3e0ae0ba1bd29cf39dabe73819bcc4fa67f10a488f018e9fa2328995cb78f40ae8fdb66aa514188aa |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\fa.pak
| MD5 | f7da0d07b54698bf8a213d0ccf1942c0 |
| SHA1 | d64fff18274ebe71a4aaa4754f9bb99d616fa000 |
| SHA256 | 33bdd6eb52f648d475306f35b6103500b864672cbf39cc0fbd8c4ac84c997dec |
| SHA512 | ce7a7b3df4c814a26e3fd9fddafc01ac1a4b2a87ef2d2893db5d0edf8e5b8bfe34afb6e91ff94306248361d57c6b3bd63d116635fb756aab74c4aed38f31c88f |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\et.pak
| MD5 | 5b169234895d929930140b4869a0b81a |
| SHA1 | f58ba50d1e19ce191a0f8117f3e70f7f3dcb7362 |
| SHA256 | c465da80b14981bdbc687b7c37bf70d2bd4b8e03293c04ae5410f84c91ef980e |
| SHA512 | c4297e272b5c04a0ee0956b873d5246591bee98c3b340e72202f3448381c691096a5bc540fdbcf61fb40d6a69270afa7198c1f0ccf3b2e84cabc906e23eb022c |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\kn.pak
| MD5 | 56c5f63f439cc962b815bbc4f3f12c32 |
| SHA1 | c96248cafd869fef11bc37aefb1382d0f60a7855 |
| SHA256 | 14b332541c2cce0835202372f8cc822aef30b3575b651c96219a88b8d1381648 |
| SHA512 | 9210759d8e73266381fbf04280aad0bc5006f315ce3fca74fe304b3261af0ba399210f0b84620230d6aa0c667e60c0a6d9e67681fdfac401338e9331475bb7f6 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ja.pak
| MD5 | 74e2430cf18db7ecae2a9b1feeb049b5 |
| SHA1 | 362a5f3e4d8a79b9d0b041d62a8a5233e20fb208 |
| SHA256 | 1a726c500b5b3efdbc7b9e6626765dcb8957005f9c072c09d1f517587d6b673a |
| SHA512 | 324d0ba770c09cccac4c59e0e0605846a4e18f32cc79f14fbd4e5b0172f439ef8dee538f686458b3a07e5e8b4528ef67aa5d339ae25f7c601c9a302caa7970f9 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\it.pak
| MD5 | 4e7ab6a5d407bf4d3f96671d65e467f9 |
| SHA1 | 67f43053ccd167f2ce6d945202f64df29ee1ac49 |
| SHA256 | 20408c09d9447f44aa920f2529d231072db8bb9c0c8b8fafa2db733561eb6964 |
| SHA512 | bf493e1a1c0898f7a54f8a5278dc0ca345e9937efe269b1bd3a3bc90645d767070ec9c117df001f8c3b51b4a383c30f025daf79606ac1840fcc5878ad4c53624 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\id.pak
| MD5 | 3b5e08406059d1a76566e9a5d4c9b15a |
| SHA1 | 6bf45f2647e959ec1b545763180e8f29961ab3e1 |
| SHA256 | 60409d8b785dd057e3495190b18e6d6d235d8313555341cba5f64327e3d8c3aa |
| SHA512 | 6c4150c064edf6ed0b83b216ce62134bbab12137e6b45749dad08d1d1734b3365309414900615137c6acdd12250add5c69a222daa7984a94ee850aaa55af1b8f |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\hu.pak
| MD5 | 51b14b96d1b9fa99ed849347a8954133 |
| SHA1 | 5259b749576a9612e429a665dfc8bf47651c39ea |
| SHA256 | 70d4a0724a2e0e80ec047e7683eec7715c0fb5f88795cc97a63e4c2ee2237800 |
| SHA512 | b68d4bc792f29df210602a557d0b3333a95e30cd03a0a4cb5f537c9c51da9937119391f2a359c03fb874c1f540c23f44bef121e45f048f32b1db06d67a0bad1b |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\hr.pak
| MD5 | ef62a50cc098afcf3fab69c7502219e9 |
| SHA1 | db474cf332c90de660fc575ef897d5389b65784c |
| SHA256 | 07effa557c8bc822626c05a4d299296f88d3da0654248c326d796f7c2de3ec64 |
| SHA512 | 7ae6f40c7bf404532df0bc2ffa449e0d99debc2b9816450ed0d015b1634dd96cd5650ab6af5a6d44d52d0e3c9c81836ee350210c4f8a13be6cc0cb796a630350 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\lv.pak
| MD5 | 335158efe454819a0dc8de0edb0f0e90 |
| SHA1 | 85871f85f626db1fc597ef24c79c84115a66c17e |
| SHA256 | 113073cf60ae3d2bcf8a61df655762e34ba28e4b35b97de33c18e13f959d76ff |
| SHA512 | f81733bca3fa65c789630b55c4f414a8541e71c4e1aba56bdb9d231ce189677b3bff4dc57c92fbe1cbc88f1f2f7fbf1a7e4319a8918c50409fcba958d743ccbc |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ms.pak
| MD5 | 3d0dc94a638f98d9bf3c0f60f89a0c95 |
| SHA1 | a979b04c65832d908305fb0406cb0653271ad744 |
| SHA256 | a9f9ae23a3bc2ac919c5b46d16b7e1f3bff73698d2626260196210e101d119c2 |
| SHA512 | 6d687f1eb9a7fda3791295487063393b8f0a7409b55461b185aaf106c596229de6988114230625d6504b869d25d7a624bc3b90d66a0bdf561cb05a57d5b87c15 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\nb.pak
| MD5 | 9c18dfa9e69c1d7810132800d084136c |
| SHA1 | bbaa9576e1b012df33d79a5dc7776c00e67295e4 |
| SHA256 | 4f3babcbec0d138654ec59fd8ab5fd58da2273237a587928b9687928c7ca10ff |
| SHA512 | a82b1e340a25a3858906ded73624bd0be4b3ccd1f5728560480b4a4e3a78529f5a178d20cf7d95fd55ded7ca4fa95a5fff87d89f0520ea08b54e7b99c9057d6b |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\mr.pak
| MD5 | eafb18d633064d0f02a3eff3eff9aadd |
| SHA1 | a8846e473014be80125630f1c5b51366220ff018 |
| SHA256 | fcb7c4aeed28ae4d16fa7b82d9571165aab0fdd46eb65d3ab29007231630ccef |
| SHA512 | d332a4b7f4cb1583a5bf5ce08fdb46661a5bccbf0a66f7f5ab6ce04367e9bc589588dcb32f443695a3ab129dc50d2962ed4c138f97858639d4ea37c117e23495 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ml.pak
| MD5 | 1030c08ffbbe7366ce5b7d55bc8ecc0f |
| SHA1 | b45b53c1e47a0051560c607874357130c499563d |
| SHA256 | e1f97ce3011d9231f23fe033bdbb0905c173921b18402d362bfc35224ff67db7 |
| SHA512 | 3b9127a0eec02f75f79c66f5f7845b65c4ebe2e6a33989c7686815ffe0651be47d42f55c2f32a67a221495a8bebf043d853df7b244a68f89390044210e52dd3d |
C:\Users\Admin\AppData\Local\Temp\2gCcpQQmY15DtthEITC9TR04BGs\locales\lt.pak
| MD5 | 49201fae17b715a15fa03c4d89dd2176 |
| SHA1 | 7c559c174850de48c4a2837fe32c58f74d8150b3 |
| SHA256 | 4a80792cb9a401ebfa7ec3212182b5024d651ca6a5ead8fc9809d0d3ad4803cd |
| SHA512 | 3016f721d77206e13e275e7eea1adc95d403feaccf595eacf933940485031e9aac0c29b6f47a9ff5f73b08c354b7b82c72193c83e1ff09d84cb5b9b72b708166 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ko.pak
| MD5 | a9b446bb79b0e5d0b4af4f7243b1f3e2 |
| SHA1 | fcf962506b32b34a6315ed61acdece33df3dbf23 |
| SHA256 | 507fc8d2a468456f2842b65a111fc0c74fe1f56d5f5ac0d6e743aef186b43b2f |
| SHA512 | e7f281206bd481427a75b581f8b2a435eb8a29bd8b5586a8db78605b1c1bbc20dc1f4b2ff92d04c62fb509dc6e1e062d1d584c195e386c5c2ffda0f764276aa6 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ta.pak
| MD5 | 2c0a9cc4a7c775ff13a6888234265cab |
| SHA1 | 497bde42737667fc833bbb9d8a9edaf014d99957 |
| SHA256 | 1dd55659ef21082b9d58bed50f387c0e1fc0f28d0ede52251b9ada25ed2a657f |
| SHA512 | b862221cf17d3f2ca0495a8a3e1f630ab915fd9b2a46ac16c71deffee9a6f71264a8550233781474d60cc6001a48c7c658c77d4e0dbd5b543e768928119d2f0f |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sw.pak
| MD5 | 55241312a3aaba14a6b19a9012ca25b8 |
| SHA1 | 69fadf0817faec3bc6b018f0af5f63378ade0939 |
| SHA256 | 722c86bd857a93ae06ca0b7cfe2cc04237a7ed5a52586cab7246336c802abe37 |
| SHA512 | 612f815c25e9f593d1f1c4de8e9016dce048cfe90f21319c4cdbb5772580cb8c71229e9ddba60852cd0bec80a07a783ace24f873d90dc3323e5fdcc44905f2c7 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\th.pak
| MD5 | 84ad3f888c0ec307bb7b8c278cd36757 |
| SHA1 | 948a5f8b43d059280d5374ca6d66e8dfc6a76d49 |
| SHA256 | 56665860fe6577fbe00543a47a15e10eceae83458815f2989d179e42af07f81b |
| SHA512 | 7001c0607df927145e40a605e2b97914d02712d11e09ca20339cb1aefb042a1f853fd06e78b76f6dc6f19b6df837bca12946a3470c6c064ca767af1db57042e5 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\te.pak
| MD5 | 5f9b7a945638b88e75a3175a7923119d |
| SHA1 | 6af614f2cbd72da2224f48a203a6430a623fc7ed |
| SHA256 | 3b476d2ce7c72c3a10170808020dc3f1a87309f9f725b08217c4716b28d10888 |
| SHA512 | 3b66c9152ec032d6f2372ae5075cbfe7d0fb398c4bf173a7f8c76d91d9eaa816e6f839b90884533b46a9224e9fb52c4d439b3d1907885b8e9f80c5c55a852b65 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sv.pak
| MD5 | 06c878c1538813e5938d087770058b44 |
| SHA1 | c8ab9b516b8470bdee86483151ae76368646bffc |
| SHA256 | 90dc45426bc1302aa05261f136881ddf038272e9ac315297aa8e5dae2b31109b |
| SHA512 | 6ddf615bcf0a8c62221233687bae1eeda5cfd749aa8acc179d6650987289201b405edd453fc181a1d250eba9bbdf61ea28fb7c694539fae3d320bfdea56665cc |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sr.pak
| MD5 | 48abf758a49e2e8aab013f2bf56091c0 |
| SHA1 | ca909bc28b03bf959ac32e218a318289e0badbf0 |
| SHA256 | b4cf2d19b5e443b57ca9d1189880458a7cacfe1c8b231265557a3fb58f597617 |
| SHA512 | 22d65df1cd35a8127296420a699f26edf55813fd6a970050dc9b2b051aaf7da2cf2fe6314a94977587021c02aa7d8b42541e1d08d5940fb7e1af127e87268c68 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sl.pak
| MD5 | e76e473c419c25768b08a95a2822918f |
| SHA1 | 0fa7e2fcabb03a8788f50f1d4b4eb383c833e9ba |
| SHA256 | fcd27a9f5cb4b4be373da7076a8232006ebe020999fdf90d20745f16cd7ef223 |
| SHA512 | e39ae0acbb7d148d6ade676d92e83fa9fb433230bae4339c31693a538198bf0679adef51883b96f8dfbcc8593a982544c64a2b265897f35a693183b27070ea5b |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\sk.pak
| MD5 | 78bc785a75ee512391a9cb462a771c09 |
| SHA1 | 229d39e017174dc0a8cefcfcc72b0feca94d6208 |
| SHA256 | ec15c82956ebddb7b246c78045ad414ed34ca97d890a915070e252c8715096b0 |
| SHA512 | 96556f6072e69351e1bbce06bbf896b1ad53060c7cbaf7928eebbe0f610f5e8778b2b8b97a5a268b7942a1c8d1adc6bea0403383a2a5bb99049437e95d575ea0 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ru.pak
| MD5 | 91379a583d22fa9343ed466c261366ff |
| SHA1 | 61e8c39235945c4f38807b14ac74da7d3257759a |
| SHA256 | 0d4d0b8052519848abd182c44dfbf444a77a0c6994965c4a3001f0a3a4d1459e |
| SHA512 | dde26b59a1e5f94d5b245f47399d7a9d3db8d247037331a471c39b1d7e79e236c5a0732fea4c53b843d8eaff1f54ca155a816a193b7baa870fc458a5aadf76be |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ro.pak
| MD5 | 7056fc61de4a16c7f4f5bf44d2e87f8a |
| SHA1 | 99d16dcb3b1aefc472601439f630e1244b1aa277 |
| SHA256 | b7ba9435d82f6bedd7005b6e868ee86f0bb6c4d7b312fe5f5d4afbd440ad5b85 |
| SHA512 | 529152da39f7ade6713206fa9f767b35b9bf03816387579522eea78ac7d0e150bad557fcdbef51e76d52e39f61a0b4e54ff6a3b592eb7e34fafdb98afe460f7c |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\pt-PT.pak
| MD5 | 002d5b37e68a0725dd7d89fe3fc7ec48 |
| SHA1 | 545de8047d3f89150516b95031965adc8f17df68 |
| SHA256 | 1fadff356a7e89a8ff2af3ddf84f70fd0ce69525c7787f8adae10beed9d76d4e |
| SHA512 | abad6cbb30a958bb84a521a66636af4221a9f63774122d3ac3b552503930ad83d343ec4c8109c8031cab17c546ef7549aa0f87746e39a80f6758fad28ecee129 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\pt-BR.pak
| MD5 | de8ff9456ba9ea999d0d1bc9b831e7ce |
| SHA1 | 1d67c6dd97fcf221c71137cc8b1946368807aba8 |
| SHA256 | b32fe8f602ec9800d59806e097e369fd065d8fbf473da40fd29289493489930c |
| SHA512 | 5a3a48ddad801382ec9065c6160698dd746aae810374c2b772d521a1764e7e0fd2c28c5dd1cdccb50834d699ee19441713fe10a91dddead46ba0cff3edbd6984 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\pl.pak
| MD5 | b44fcf9fdc4ec7bb5e72cae30aa15c01 |
| SHA1 | daaae4aa7987bcce299995feea5c54f2d77b61d4 |
| SHA256 | 7f1a8392fe3aff4e6bb4bacbc1f4b395f08ecafda9f81e36b41b77fb4ab0bc76 |
| SHA512 | 52b46d7affac4949fa19841d26d2f4bf877e36cbda4b75f3ff289a7abe9a80c2a014b1ae23d3079f4d31ed5fa76c320103733284a2c13d99a451810407325674 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\nl.pak
| MD5 | 5cde06a63c9dc07fdbb0fdc94e403d00 |
| SHA1 | 11be56054908f1f9cd56ab77692fe3717ee91ee8 |
| SHA256 | 3b9ed5ed0dd07d8fa67412a046ab085137542c156876dbfe6f83376571af91a3 |
| SHA512 | 2716496dcbf76cc2dece938103813a8dbc17d4c795b4e3459a572de4f62f9ac0e1788de3a21f5fb287ad364decbd541a5e3bddd406e130d2a9c72118ccee5390 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\zh-TW.pak
| MD5 | 960e99a171c4ed4b6d787027ba88774d |
| SHA1 | e3869aff0c52841c9df718133e7c4be2977de7fb |
| SHA256 | e42640f5309add2ea7fd5a4db503b93e479ef14807710a06d7e53a0f261da8e6 |
| SHA512 | 4e51d787aff8f425d101882bd70e71b88b253f2ca61ed54dd7ff77c7e3a1d6570b270f4eb91f2d03869ea4537d09e141f3e32ea3a27537295ec698bf26305cbf |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\zh-CN.pak
| MD5 | 07b6c43d87dbf93ac8abe6837f3c2103 |
| SHA1 | 79e033179b445609b3f1756c3f4184d5efacf1c2 |
| SHA256 | 7f85b35938fadca91bfd8f92ca53613718e375ef010c340947dd27a4ff66594c |
| SHA512 | 38ef8f8a8a950b11c18eb7a40da721b888ef792a49e1371dc8c1eb22058a6791f95bf9b25df4ba190a7aa6cb62ce38b0bfaea83c71b62cde6980d12cf9da53f9 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\vi.pak
| MD5 | 4c5c09cb7e6eb120c8019fe94e1ac716 |
| SHA1 | f018e7f095605e21db24944b828cc3580cba863f |
| SHA256 | e7319ca18eba379772954132493bbabb448d4e97d755b85360ed337216b48800 |
| SHA512 | d171ee83cf02a8904290a74df1224556887e41333b8a01fbd95f0cacc88d230195fbfb6f99f9e02573d4864b3c95b570a77c2a0b1e19324d2599925e40684807 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\ur.pak
| MD5 | 88eef2798dee8a361c3ea9bafaa02a35 |
| SHA1 | 6f8d4ce422336ca5048ef35d6ece360a9b416d8a |
| SHA256 | 91318006c880e427417a2b2fff81fd451769a5536fa16d1dc185972137bc2d6a |
| SHA512 | db36b58186f165ff3f746ac483f75b6fed596fad9b3f335e86b374b359e563407acf58ac7cded9420e4fcb91f31eebc8a91c7777ea59bafced8cff2f1c0e9a53 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\uk.pak
| MD5 | 64aa9344abd9a32f10d6c05a58eda4eb |
| SHA1 | 3286ee43f36e2232677b4573e8b4a3303c7df048 |
| SHA256 | ca20af5982ae706f5029467901d7d66f90b261f03c7d240d0d1ab2fca2b50a7b |
| SHA512 | dd768b314da50b8ba5a006a4e56d70044c1af79960834722894d930f5347194ae7f9f5697bc4cd0790a79341635cb1df8c74ff45f74d1736049161af5b163efb |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\locales\tr.pak
| MD5 | 0aedf5c2f6f4f49074a2adea454df4c9 |
| SHA1 | a48d9d8461e61170257897766dbd6906e754a0c3 |
| SHA256 | 3f4658b3811b36f5cad794e48e6507335abfe78b0bfa0c80d1ef9c5d7bb410d0 |
| SHA512 | e359e446330fc154c16e34a7335174f372bce701faf85de8a5f4b432ce3e10c69f42c93b7182deac89bb4d29750d0dd525b6dcd74a5b7bd724f544d14ba44a79 |
\Users\Admin\AppData\Local\Temp\nsx730E.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsx730E.tmp\7z-out\resources\app.asar
| MD5 | 0c4b0be5f0b59114a849c658239fefd9 |
| SHA1 | b995edf111146d45684cf7a7474c02930a150f10 |
| SHA256 | 7ffea154a68c15c9b8ced3f3b0b1098b54230d2e2df25a7ed04acaeb664c129f |
| SHA512 | 48acdca36ed6672192d5bf29beefd00a2e880ab82d30153f58717d8141e45925ee276672ba228df30e5fd4d9cfa5f17efdaf82bb0fef54bac7ef38cd850259ff |
\Users\Admin\AppData\Local\Temp\1a09d8db-c2eb-48d0-9936-76d90ac5570d.tmp.node
| MD5 | 04bfbfec8db966420fe4c7b85ebb506a |
| SHA1 | 939bb742a354a92e1dcd3661a62d69e48030a335 |
| SHA256 | da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd |
| SHA512 | 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65 |
\Users\Admin\AppData\Local\Temp\690034fd-e829-4a9b-9758-c02f8d94b47c.tmp.node
| MD5 | beb8d911d40e8fe94770d9d341e0de11 |
| SHA1 | d24d31e5b44a4a80969e2a669fb9b0ed42cfd479 |
| SHA256 | ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7 |
| SHA512 | 079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:43
Platform
win10-20240404-en
Max time kernel
1800s
Max time network
1788s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Reads user/profile data of web browsers
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2004 --field-trial-handle=2008,i,15685344764449566129,10627128631010484435,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=2176 --field-trial-handle=2008,i,15685344764449566129,10627128631010484435,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1064 --field-trial-handle=2008,i,15685344764449566129,10627128631010484435,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wavebysudryez.fr | udp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 8.8.8.8:53 | 98.85.21.104.in-addr.arpa | udp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 104.21.85.98:443 | wavebysudryez.fr | tcp |
| US | 8.8.8.8:53 | www.spotify.com | udp |
| US | 35.186.224.25:443 | www.spotify.com | tcp |
| US | 8.8.8.8:53 | www.myexternalip.com | udp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.224.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.150.79.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
Files
\Users\Admin\AppData\Local\Temp\1ab9abb2-615f-4671-af4f-5e86d2cee448.tmp.node
| MD5 | beb8d911d40e8fe94770d9d341e0de11 |
| SHA1 | d24d31e5b44a4a80969e2a669fb9b0ed42cfd479 |
| SHA256 | ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7 |
| SHA512 | 079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe |
\Users\Admin\AppData\Local\Temp\c73fda09-f51b-4478-b587-53d827f28f84.tmp.node
| MD5 | 04bfbfec8db966420fe4c7b85ebb506a |
| SHA1 | 939bb742a354a92e1dcd3661a62d69e48030a335 |
| SHA256 | da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd |
| SHA512 | 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:44
Platform
win10-20240404-en
Max time kernel
363s
Max time network
1593s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:44
Platform
win10-20240404-en
Max time kernel
311s
Max time network
1608s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:45
Platform
win10-20240404-en
Max time kernel
310s
Max time network
1591s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.d.1.a.1.a.6.8.f.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:45
Platform
win10-20240404-en
Max time kernel
507s
Max time network
1599s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:45
Platform
win10-20240404-en
Max time kernel
309s
Max time network
1578s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 143.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:45
Platform
win10-20240404-en
Max time kernel
314s
Max time network
1576s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 3244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1368 wrote to memory of 3244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1368 wrote to memory of 3244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 143.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-09 23:43
Reported
2024-05-10 00:45
Platform
win10-20240404-en
Max time kernel
310s
Max time network
1609s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f.f.f.f.d.b.b.8.0.9.8.2.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |