Malware Analysis Report

2024-12-08 03:04

Sample ID 240510-2tms9shb45
Target XSpammer_Setup.exe
SHA256 ea8e830aee3ca762fa8d37597994acf261430d0ec3f393b1861e6e9d7ac3c552
Tags
execution discovery privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea8e830aee3ca762fa8d37597994acf261430d0ec3f393b1861e6e9d7ac3c552

Threat Level: Known bad

The file XSpammer_Setup.exe was found to be: Known bad.

Malicious Activity Summary

execution discovery privateloader

Privateloader family

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Program crash

Unsigned PE

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies system certificate store

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 22:53

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifutil.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifutil.js

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 3804 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe"

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe" --type=gpu-process --field-trial-handle=1576,8200763539694124950,3286874007459898763,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1584 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,8200763539694124950,3286874007459898763,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1964 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe" --type=renderer --field-trial-handle=1576,8200763539694124950,3286874007459898763,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe" --type=gpu-process --field-trial-handle=1576,8200763539694124950,3286874007459898763,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2504 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 170.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/4424-2-0x00007FFC99D90000-0x00007FFC99D91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/4424-53-0x000001AF2BB70000-0x000001AF2BC19000-memory.dmp

C:\Users\Admin\AppData\Roaming\XSpammer\Network Persistent State~RFe585e19.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\XSpammer\Network Persistent State

MD5 c5aaf170523a6627a889bb1e69137e67
SHA1 6b2fc79d37ee85634b00c52ecd795e9d1ee2bdf3
SHA256 32db68227150f833e41cd5907195c1f05637cac33fdfbf3fd8f9acbfb94dfe5a
SHA512 3712cdd5ba18a101810b6e6b24a300b0c13400315cfead2569660f4bfc977d2e8be9db6a6109ef9812043b549ff06c3f4aadfd71e5d65d21819ad7e05590fdc3

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240419-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240221-en

Max time kernel

121s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 220

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 23:09

Platform

win7-20240221-en

Max time kernel

846s

Max time network

843s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60678b502da3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421543633" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B4A1F01-0F20-11EF-B1D1-D2EFD46A7D0E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000009d6e0d0c40dd4003b79a0786b4dd9a0972e7ae49788e09d00102c76c762aa2c5000000000e80000000020000200000006866b5e76837982acf8d447b6d1cdfd8d24aefeb485906938ceb49aadc6b69c690000000a863a9fa360a2c36951afcc9a4cf2c71727a0038f729a48e5d6d4547867bcdf8783e66195ef77530f1a7185a85aee7760a98dfe692863e15057d262b103b9014d201655df75e946b54e49328273224027a9aee554c75cb127cb6bc549027af73ca3f461291f4e9b1371e7da19ad44fd7b2089c50b7be057eab904baac9c7d8f7433bf657906ba83d192578b01a0fc4f34000000005da9dea2f13576e4d04f25ab850c2aeebfd9370021dc689576847753fa4f0bc7be44e91717642f49f23587f5b12041918739db115e47040709de6ebb7cef816 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000305d3071d53776547ca584108beafe4bb71045efff0a1f84bb63101c9ac2e8b2000000000e8000000002000020000000c58d2a6754c2d56550ef7a29e05eaf98f54694bfcefc72e6a5572e1edb4af4e920000000d68da9385ae21ca2699fb57fbe90ccd3d798129ef4533a40e14ffdbe2e58639b4000000015552f7993ffbf88d71447ce7a0d379cc6e8dc87d45132f47ced8fc8b2dd1047f0fdfdf99d4b016575f9f3c3ced9bf76581f18c567868c433edd708c2e6fe588 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
PID 2068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe"

C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe"

C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=912,9293781256363360940,3482007066979962795,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=920 /prefetch:2

C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=912,9293781256363360940,3482007066979962795,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1320 /prefetch:8

C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=renderer --field-trial-handle=912,9293781256363360940,3482007066979962795,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\XSpammer\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1412 /prefetch:1

C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=912,9293781256363360940,3482007066979962795,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1136 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass –WindowStyle Hidden -EncodedCommand UwB0AGEAcgB0ACAAIgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB3AHIAaQB0AGUAYgBvAHQAcwAuAGMAbwBtAC8AZABpAHMAYwBvAHIAZAAtAGIAbwB0AC0AdABvAGsAZQBuAC8AIgA=

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.writebots.com/discord-bot-token/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\msdt.exe

-modal 197094 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF1E3A.tmp -ep NetworkDiagnosticsWeb

C:\Windows\SysWOW64\sdiagnhost.exe

C:\Windows\SysWOW64\sdiagnhost.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass –WindowStyle Hidden -EncodedCommand UwB0AGEAcgB0ACAAIgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB3AHIAaQB0AGUAYgBvAHQAcwAuAGMAbwBtAC8AZABpAHMAYwBvAHIAZAAtAGIAbwB0AC0AdABvAGsAZQBuAC8AIgA=

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:537636 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.186.142:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com tcp
US 8.8.8.8:53 www.writebots.com udp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 8.8.8.8:53 api.bing.com udp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.writebots.com udp
US 8.8.8.8:53 www.writebots.com udp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp
US 137.220.61.173:443 www.writebots.com tcp

Files

\Users\Admin\AppData\Local\Temp\nst2DB6.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nst2DB6.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nst2DB6.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nst2DB6.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

C:\Users\Admin\AppData\Local\Temp\nst2DB6.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nst2DB6.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

\Users\Admin\AppData\Local\Temp\nst2DB6.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

memory/2864-233-0x0000000002D20000-0x0000000002D22000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\XSpammer\ffmpeg.dll

MD5 f42db9b6aab90c9793443758dfbdd81c
SHA1 70c88c7e612d7af4a3427b3c7f3d780dbab27458
SHA256 39133cd9234b0a5209e6b6927f1dae4d14c779b4946357d23d712347a5223d35
SHA512 35207134cc5539c5ab18d17589a7a5eb7ed169f25d11cd704ce006ada7881ea097b9b339ee1c1908102b5e352099aab57b19f858cc4644bb24d6cec163c62d78

C:\Users\Admin\AppData\Local\Programs\XSpammer\icudtl.dat

MD5 70499b58dc18e7ee1d7452a1d7a8bc6e
SHA1 41c5382f08c6a88670ce73a20c0dcdb3822f19e9
SHA256 02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0
SHA512 a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

C:\Users\Admin\AppData\Local\Programs\XSpammer\v8_context_snapshot.bin

MD5 b64c1fc7d75234994012c86dc5af10a6
SHA1 d0d562b5735d28381d59d0d86078ff6b493a678e
SHA256 31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790
SHA512 6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

C:\Users\Admin\AppData\Local\Programs\XSpammer\resources.pak

MD5 5507bc28022b806ea7a3c3bc65a1c256
SHA1 9f8d3a56fef7374c46cd3557f73855d585692b54
SHA256 367467609a389b67600628760c26732fc1a25f563f73263bc2c4bf6eec9033df
SHA512 ae698d4feacc3e908981ee44df3a9d76e42a39bf083eaf099442ace2b863f882b43232e26e2c18051ca7aec81dccef5742acc7b82fb0cda2e14086b14d5a9a26

C:\Users\Admin\AppData\Local\Programs\XSpammer\locales\en-US.pak

MD5 6bbeeb72daebc3b0cbd9c39e820c87a9
SHA1 bd9ebec2d3fc03a2b27f128cf2660b33a3344f43
SHA256 ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b
SHA512 66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

C:\Users\Admin\AppData\Local\Programs\XSpammer\chrome_200_percent.pak

MD5 1985b8fc603db4d83df72cfaeeac7c50
SHA1 5b02363de1c193827062bfa628261b1ec16bd8cf
SHA256 7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b
SHA512 27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

C:\Users\Admin\AppData\Local\Programs\XSpammer\chrome_100_percent.pak

MD5 a59ea69d64bf4f748401dc5a46a65854
SHA1 111c4cc792991faf947a33386a5862e3205b0cff
SHA256 f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9
SHA512 12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

memory/320-246-0x0000000000060000-0x0000000000061000-memory.dmp

memory/320-279-0x0000000077520000-0x0000000077521000-memory.dmp

\Users\Admin\AppData\Local\Programs\XSpammer\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

\Users\Admin\AppData\Local\Programs\XSpammer\libGLESv2.dll

MD5 ade7df9a58109ca404d7b83c19408b58
SHA1 949ce097cc71cff54afd2866700bc19a4abca214
SHA256 c8722d94f5e7bf23796764d993dc26d809db5a1a037edd6c4575e16ff2e46e5e
SHA512 dd446417c3caa8ee67eba29aecf19beb39305adf9332613b4004459c3bc856906040c608620ecef30bd3aa9a41dfd4791c7d549358a6c079de5ec86e9c36f532

\Users\Admin\AppData\Local\Programs\XSpammer\libEGL.dll

MD5 2df43c537453b453b6d4ced3317a6f03
SHA1 1a8b1fca2664fe530663c18bf8ee2e84ade96380
SHA256 67b1befb289b59fff5c28989b6643672823b85b900eca0aa4000a01ac9b9d346
SHA512 bef72725fe03cca6794c0cfc81fbaa1c858c68457ca83a4ebc98bab576b0c2544b4e02af203e43cb8bb75826e39f543fbff640c73548ab396fb1e60c610b0126

\Users\Admin\AppData\Local\Programs\XSpammer\swiftshader\libEGL.dll

MD5 e7ebe009ba3280440dc7a93b48a70bf0
SHA1 15aa73b00146630be39b250e299ff4c8f581dd16
SHA256 761496fd75d291a532fea9f553f9fc36bf9ae2fa6c3488f022bb16b7c0cb6f5b
SHA512 1167af849517d1c8361333c1cd315f71535506b47d250788790d8fdabaf2ac4d0f432c7f6526a65e6a0d5dfe1f1810a19de06832d0d6844039802941a1eb5168

\Users\Admin\AppData\Local\Programs\XSpammer\swiftshader\libGLESv2.dll

MD5 e80e7a52d4bc025d2cab93cc85c61c99
SHA1 6b41c2648c200c8cb12c8d4970a6a1c8cfd5c7e7
SHA256 896504385b9c08ee0df60df03620ab2725770ea4306c61f803f2430b14c56da9
SHA512 9482bd07f2ba6c498e1e34279136a06dbde3f3cbf5938aa37fd703f3e1ea9bba2816af21dc8d605df251de564ae1e01958399c28993df07aeec8718b5061e302

memory/852-405-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/852-406-0x00000000021D0000-0x00000000021D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab893F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar8A11.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9258a3868e87a5423527d769e123d07
SHA1 8215dac0588ec42a9537d0d2dd09d845da0811e8
SHA256 d43fc2e58b89e6d0e317b88d6b1a74838d7beb1562a8eafc01624f5956203724
SHA512 a9032843c9aa6a409196cc49e104e50d23c361ee9e8de4b989b0e7766c69314d6017a639d1cb44ed616f885be2c233fd7c2c96199545eead64a8fa6e7bbb77de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c9e09d5b66e462001a0cc5891dcb427
SHA1 e3b74ea50947f0fa75119774b7c438d88b7c47b8
SHA256 54fda50ab508f0f84af47009aa474cc32ff4f7bd38f69fe6c876f0aee6cff374
SHA512 8b9883a299cc821c6cee2110c6a135d9cc97fe8b61c5eff170c58d29cecceeffb08fd5a675f56f135ef5b666d949dd11ca9233497b0151ec43f551279c4d5e46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05a95f743326b841b3dfabaa006af1e6
SHA1 7ee4987bb346d3b25601e89a77ae639ce641cafb
SHA256 acf8d8f8469e823cbcb28f5bd55af9c3c9ff6abfe63ab1591cecf11d4b00621e
SHA512 30ae1358c4d5b60ed708fbf6e30d2553e254335fe226516da9446def78f4c070a1aac7905214c1a9fac3acb104cf582f535b0518d40ab8f0e730890e754e0a62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad401dcab22ef4ecf7c242ca69debf79
SHA1 a6b667274331c8968345ea2d9736e0e821af25ae
SHA256 c3426a2de9506d92337648fc13f45da94d6380f9a16016590b0fac3774226a49
SHA512 288db9dab4d61c27b08a493d8ef375c40d6e1db7ba40f94c8e95de439fc4db0f2a9586a35853924152eead9e0b6ba44c8cf47e0f302792ba388ff0b3cae71c2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f51f1fbba406768c8344a9190033894
SHA1 0e15c76619e2ddead22dee88262c647ab6b349d7
SHA256 8dc3df6193a2e3b8bd3e53ed0eace0ce3f259ac37eeac454eebb08b437d42551
SHA512 55d13a880bf0bd1b16109a515d9451df3883be3acd74c8c57d644e867172275908c1e53ba46c7c295504a83b9c399a4576a676bd53a24283b08b1627d18817ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58bc4a5f33d6f902947dad25ba6c0b5c
SHA1 8bcd715b62be279140f62da066f1501125972d6c
SHA256 c35be44d63bb9a4cf66c9c70f1f10696c1c07e533be43542f842e1ebfa485733
SHA512 a09b9d222fa7c9a78c4078d5c5b2965d82d2f7abec4437dc2626218c7c14a80d2bc4d112ef3269052ce8b377a9886af1b80f9ba72f496835d320131be0d0f913

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffd2d8dc154dbc73d58ff0a0c35c9cbb
SHA1 cc1d6f922aff595726313bc84e02e8925f27bf64
SHA256 14e8b95ac3e5b92e4842c47b0163badad18dab35f6bf2e4b06a7d67348d994d3
SHA512 65abedbf61e28b8b3e536e30da5a7c0785d504ef41625f278e791c0c8486d5a2eb3477214f2437dbd54f480dc5ddedb7c26a2775406c9a42a5a34983e24d65de

C:\Users\Admin\AppData\Local\Temp\NDF1E3A.tmp

MD5 f2b1ea88308b603d3575d3179997fa3c
SHA1 b8edda3cc7dcc5cce38094866618b4a87aabfccf
SHA256 743a958b27235db147d2388edc0fd9a83f474d54a3d40d273a27cf6cfc05f034
SHA512 db6f7ff063dd37fb8ab45acfc82e97ca41db6c8a77b285fe14e3c6e60d69cf29b89cc49ea6896525247898ccb0d469abd0de33c2aa48265c87e69cadc3fc4160

C:\Windows\Temp\SDIAG_6aafb33f-f80e-4039-9a87-da5ff66edc1d\en-US\DiagPackage.dll.mui

MD5 1ccc67c44ae56a3b45cc256374e75ee1
SHA1 bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f
SHA256 030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367
SHA512 b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

C:\Windows\Temp\SDIAG_6aafb33f-f80e-4039-9a87-da5ff66edc1d\DiagPackage.dll

MD5 4dae3266ab0bdb38766836008bf2c408
SHA1 1748737e777752491b2a147b7e5360eda4276364
SHA256 d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a
SHA512 91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

C:\Windows\TEMP\SDIAG_6aafb33f-f80e-4039-9a87-da5ff66edc1d\NetworkDiagnosticsTroubleshoot.ps1

MD5 1d192ce36953dbb7dc7ee0d04c57ad8d
SHA1 7008e759cb47bf74a4ea4cd911de158ef00ace84
SHA256 935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756
SHA512 e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

C:\Windows\TEMP\SDIAG_6aafb33f-f80e-4039-9a87-da5ff66edc1d\UtilityFunctions.ps1

MD5 2f7c3db0c268cf1cf506fe6e8aecb8a0
SHA1 fb35af6b329d60b0ec92e24230eafc8e12b0a9f9
SHA256 886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3
SHA512 322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

C:\Windows\TEMP\SDIAG_6aafb33f-f80e-4039-9a87-da5ff66edc1d\en-US\LocalizationData.psd1

MD5 dc9be0fdf9a4e01693cfb7d8a0d49054
SHA1 74730fd9c9bd4537fd9a353fe4eafce9fcc105e6
SHA256 944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440
SHA512 92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

C:\Windows\TEMP\SDIAG_6aafb33f-f80e-4039-9a87-da5ff66edc1d\UtilitySetConstants.ps1

MD5 0c75ae5e75c3e181d13768909c8240ba
SHA1 288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256 de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA512 8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024051022.000\NetworkDiagnostics.0.debugreport.xml

MD5 58189adb5b23c119c8bf5b20dc6e17e8
SHA1 e4717aeeb9eb4d7bb8be4ebfb6e8fd834a5cbe1d
SHA256 1542908b5cbff5fc4ad9e59cd00dd8f8aac82823cb333f2d17330bc473296a9f
SHA512 6d7ddeaa85723e8a27394e551d0c9ece415d4b4aa6e11aea33a03c683b133c25ded531b04b9c03de91eb064ddd0452c2f967ff84f5861630c59155e7ad8671d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ce9c485d3f7748d28acdcc84f33dc3d
SHA1 57cd419db51e310e492dd02206caa26adc78a45b
SHA256 f2f77fbc6f28b88c2a666d1d01252cc9227e4926c985b2d0c1823b4871f0d4d9
SHA512 e51e41625d8addd5d45896595ed52553eb72240d63c2b8c5df8fccfe0a80689f7a330f4343ce6da65446039ca58dfb065e81a18f20f2729d3d6d20469cefac9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1015e2a04869841a571afdaf61fd14e
SHA1 7df0d9ee21735cd4af727d9ad5cb7eed70231546
SHA256 54e40b0c83faf233b82d8ed558536dd588ff9345bf1482df0cb5190756e69af2
SHA512 a1e71c82d659e364bc0411e327a832f27cc23f6d91088e5220cc6fde2d247ff9d4b4d42ac9c2d2fe56965bb293d1aa388e119e61125bd5cbd1d055f6d3354613

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 981e94ce48c3fd3090a55fbe042cdff2
SHA1 bd15f5030d6890a91c72e4f2f732388d931c6f4e
SHA256 e3447ccc8b17621996f05bcbea100bfb53f725ac22bbdf1ef69a13fd8e7a06a9
SHA512 bf537af8e3a24512b662a7b613de40f2f1e637ca5bd78dd8f07d747707186eb51b62e40e2318682a3026e2cd1f318862476552ac4ff016e6dd12b340006e929e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b8cca694625703713a5984bbde4da59
SHA1 7351d3296e8a39e1f931d12bbdb39e8cc0b52cb9
SHA256 3642ed2438b28f327a1e8e49c1a3268a4d32d3c4aaccf4ced20587ca00cc5a94
SHA512 09ffc7202318327075474cfd3dea77d124a48834d61cda4a289a7687cc18eecf5bf3ea7eaef5a518939f1ce9e0aa178df0b204e23582614ca93532d53e050bde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b09c5d7e6190ef79161cf572e4cb29b
SHA1 56a2dae3f63072858e617bdb66c29aeb32971b9b
SHA256 e61f61de6409a12d94cd66fd75a7e0fcb7bed7787e8a6de09338180074da9bbd
SHA512 90cff7f35dfe3829b52c1743c70ef07f0b55d6cfdcf3aa31784bffb530f451644705d1fc9fa88d1364e6c13efa818d62f29e97984310fa0539f76951d70ff2ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27485bd6583a80e980b30e90c28ce7d9
SHA1 eae4814353017e4157e406ea00eca814561c3720
SHA256 235502b68667c66d8c3c49a95b2b61897653335410bba51a33ee26adf5c19a48
SHA512 170ce0b713e47f89777d10c2897376e5317f207401bd56e545298adbb87a9b8d75aca58afa9005871791547c0440f37e2370e6841a89148cfcf919c2019f1c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a50e4d1882f93eeacd442fb27a8b1c3
SHA1 1dca1e1b664bde4dfc18467a144ccf1ecf34cf5b
SHA256 24f610e79c06a33e0f6e27ca8581d8ffff3268d4655649ba12b9147f00c83080
SHA512 2d461e182c353e7efd8b2e50be53aa64b6b1e78fe4f5eecae8becf2a142754a614f56d32495bb08d254a9a1a4329020065663e1ead4ce2617d80cb5434b3a54f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64c9d24aa1fb0c75feb01b356319de91
SHA1 9602ae42566be52f11424e740ff94c0303d86da8
SHA256 cea587ed3fa5f5547ce301f0c1b65f1af3d23085812146a599a8de9abb3e5552
SHA512 b20f131ef5518bf6570c2773733b14eacff60d2800cfaea9dbb81426cf766e2de26cef9c42067b55de74989bff7409ead5b4c3ad7c4c9e2e84a5105c1d0cc19d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 873ece3822790aa1a1307464c49e7602
SHA1 db06dc109086443f12aa09d3ec021541319ba4eb
SHA256 9b63b9750cb47551173e7983201516bb7614c0c2a2bdae17d66e2d967f5b2f84
SHA512 93240d6ddcf2491521510860f827156982d6a5d724c307bd611e129dbf43ff70128c4c5ac813f1085ee353c9d1cd4cd7180e116b2ba354eba9d70b7a0f691e99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1526a1cfe4e645b44b53562947a55c9e
SHA1 fb87f23a374ee0613127fa3cea91b970f8e25f38
SHA256 8982d2f31db99c64eee3f0781edc2082712757e2918c3018a26085da4640363b
SHA512 233c0ef69d981b09554ddfd9083a4ecef14c25d5b48950415eab4f48846206772f679ba54d88244aebcc1e86cb0b9ba5524929c1b339b31dc0823127dbc38bd8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 577af86817bcfcd59a16bef58645178e
SHA1 d9c1b9093af21863966c5abf325ebd73551b57ef
SHA256 41b68210a18e777b5771920c095d66b53e36a00cd9eefaa7201f6db0353c4c41
SHA512 0e7c9a6413f6c37896957bd3bfb2d40d4f810a4f5228aa216e79b26d0a7e8082bf6087c78832c4a2715fa23dfc3c78622bfdb7dfc70c06b399d09eee017129e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4be8c8361f70ee722d572d1c722a47fd
SHA1 66c00a90db8499483e7f3b5a1dc72410f1c5a2fe
SHA256 04083dd2a74bda81afe834dc15f8646fc9d67441ff9fd72cff5ec67dde04f5f8
SHA512 f5ccc2e02ca8129e31da11b509ae6152e5b51c9889503ce891c0d6b67a45d3196ff91080e5c274cb4af6693343aa07af94cb4696917193bd57445f0cbd70de22

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L5D5FK0KD7C03E8I6CXK.temp

MD5 3b8a2446af9605c2076a93cd0c73277b
SHA1 4778e3026a9302881216ffebf39214edc3a2c60b
SHA256 92d3963ab0948dddeeebac19c8df51224a4995126f24693e866a8c743df1d434
SHA512 e1de80928a8123be4c175c1768d0d8f7e28282d43b1e3ea356fc2760e0fb8353a718576503d76e9525db3d860dfa66b4fc6842ef9be4ed5d75828f3582566368

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifframe.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifframe.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\index.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 4636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 4636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 4636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4636 -ip 4636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 220

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240221-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000001ca72a5e5a5b3cb4bb15ff52b287d8c7395bd65b92082c2544caf5bb1018c453000000000e80000000020000200000000395c5e93957c61419debacd63961442c138360debf6402f60d90d34789179e4200000004fa5df8be2696660f72478ee922c175a60b9570b4181fd25d151cbf652cb463c400000006fad3bf6a4fc083a1e158720cad04472be23a44d657ff83ad80b6f3490faf12e3fa732fd5cec19a236a3681345de394938c9557f74113014096125f9aff08167 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57174E51-0F20-11EF-BEEC-D20227E6D795} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3091102c2da3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000006892484f0c64463c8268f3f9efb011742ba31710a2d61276986e4d66dc46768d000000000e8000000002000020000000f7106f7d8311a6d62630dd8dae268cb1eec4ea6fdb79060ec12259a35b4ea4c190000000e3cc8f9c4494ef48eb03533770444b2fd93d6ef3f2a84840aecdfb3dd135f27f0096ea703630a252a85a94fb40ea8fa8378e76634ab7fe9d541504c4e025b4ad2f5609f07a53fb5853287df069899b08b6aa0f39104c8ae10f4966070bebdd36eababfecbea77cc73da54b3cfefbbdec497c9c754d284430b9a1bfa8fe18519160340660a93fb704272f35516eba0bf1400000008258691d58ebf36a8859b01096707cd53a2d6242b8c71b6efa3739feca5e30bd8a561334b154a612633b254035f7445e13fc4e0c05f51fca45e3fa105158ebe1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421543572" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab405B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab413A.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar414E.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5caf66aa4e553de647737c044a34b8f5
SHA1 e9b8aad271824fa56a63c9fec31bf45139dd5b3c
SHA256 3b32d6ea36bbbeaf5b8066a918eef5b380f7ba692a54e73dee5044013bd42ad4
SHA512 5a39221bb11135240351c505e504cc737857460d8221338551b92b90d39eed63f37483e9c868a231ad60623c4e8f0178c704b81ac2b60ea334d6b7259ab6892d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7796ee67b5812070bad1266abdecdc08
SHA1 c7af84ee45f39b7e50f0f86e3337cc61dab5b0ae
SHA256 321a4a5f84f5197ebe58415114cd993150493ba97fbdc2d74d85c2e262db6c44
SHA512 e2e852633f364d7d34eb40dd436bd16be142ccd1b4a6dac01c8b25c4df3ea824fb32862040be82574f916b54596832ce387d0c574bf9d2081d97a5835a6b140d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e4c866b2356db8b8a0589d2e2e69399
SHA1 a5e047489cc2f3134269c5b4c96a9251fae7f38c
SHA256 7766721d112f8644fdc2b2cf2ee36e207bc0208a2cbfc090a417010d7c63fe48
SHA512 ebfbe6194491680eda26442ea6f486b47acb1ef4fbedbf49449a329b3dc54e2c30c007d7a44517b46e52a1473c46bffcf12a761b56a3214d61fcb11c9b3a4303

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39d7909e06c1ba5f26cef62c81adc8e3
SHA1 d30582e419d74a3ddffc96b98a72023e476d7f53
SHA256 847a8a3b1d71b166772bdd2ad2aae123866cfbfbb4084b67304b9db8252caed3
SHA512 055b14e2f006d1f7c3dd3fcc1f283c1d3aab8046044c83c5eebe573a37bfbbcd286bd9df1e304d49cfc0ef682f99ece903122e949ee2dae633aa9c3a387107b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 893eeb64ca2991b38deed55f1cfe3965
SHA1 2d9c0f40795cf8034ddf2aef79b2c4846559a0f4
SHA256 31f882bb2e94150e0b602fb1f7075a48813b6919d1ab2dd9833cd94ef17af02c
SHA512 40410fc1b150290132cd8a67b596703264ae839f015aeef4215db52b93c7e21214a3a8f74b3219ba833d4a884c6ea0c00fb81c4113f25d82c939901ac01c7ff4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bfb4b66df542c0fec2aefc0b45d3ee8
SHA1 0fb237bb52e55e3f358b07ef4e987055770941eb
SHA256 b59a99e715711f26a5696821cf976bd6ca77bae664d9c04fda8a81bb08322286
SHA512 e878e47bf255b810b3adfd6f7c8862e9de2577754870de313d3690c7c30bd237651bbdfa759882840f6078bfcc775e7282b27db05e239922b21a273c5a560e24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b404a6f558a88c1cf959cbeac715807
SHA1 60fed05c7e1b9b8409b86a105c0c635a7281051c
SHA256 25671cc04cd4f4ead7a5b3aa51552ac138efd23e7d6f1b9d6ddd3350c2a8cdd2
SHA512 229670e115e0f79238c71e0465884ce974a83cae689c07f4065e69dbf15cef917376789ef1bc66ed2924e286a7a9a62b91561852b84a9b028d429c66864a1c16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a4e8e16bb41bbb74ffd385a43977137
SHA1 6c3a21bfd2945093801d9965cda7ccd26f7f7714
SHA256 d15eb58682c1d6f84733e37bee9b01742781c13a998033c0839f8572768937f4
SHA512 135135ac5e7360012af54510d1ff7532529f4bcda913d1e18ab2373247d33e176c396c69e8026270b46cdc2220cae5aec18aca9a57c90790d27c2146c60e044a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81defd00d32af9a4305604930da2ea5f
SHA1 86aaf7658b783b6b64e1fc4e7dac5a08cae4e118
SHA256 ba831bd4958356e9f05aa22f67661948317473571f901b14a11421634c376030
SHA512 e56600c3d04bf0be3157cf1284a3ae9f4ecb03866fb231c8e9d24098b279a5378accae41ad1f552ba48617cf0d93cd023a1ebcdcfdc4444ccaa15901c6462366

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed8bf01b475a86f1d1feaf2cc7480020
SHA1 3db2a0c7c1775c75db032b354b2796961ba14f4b
SHA256 f02307fe19f8d18375a0c3f0d6e171c0ab6319724daea1ee97150e06430b198a
SHA512 240c4e36a857503c314cbb8f390736d6bf34b38a3d859c0f7b2db63c5c5adbd3b62a04ab1b60d68652360ee11f473154952acc84e24e634e6093d682d3c0a678

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1ef181173a71aec01a26d3763929613
SHA1 892072f6754f2b9d596107d0fa86b7c6a57efd28
SHA256 a5558cc1388afacf1c8e372700f8ff4d8402d73613c401180f97deca4663f87a
SHA512 ab1cd89cd8de2b691b891edf152807dae692887c953c16ad621fcbee040ef6cb736d13789a1ff596ac0b45fdd69a57566d83b0633f758d56c9ac4a0d7d6843fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4827edf7168775bd1a0aaef7aa6b47eb
SHA1 8b75da145ed28e8a0912810bc865db7c97dc26ec
SHA256 1009e48807df96e7768d9c9920bd70881c684c9355a6b79f228de505d273c6f0
SHA512 7eae4b628a7b0f981e6dc0e2e292d76ff3e10b8a9966cd310b7b628bec44fa3d509f3d6d81f6fc7dfdf48aa6b3bbf580999b6b706d5e759a232ccd226d077f5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 729158b15f616f23b6538d225cb17b1a
SHA1 a1c841acc97bf752d1e055c04e75f3550b87a85f
SHA256 11f1082c01cc1b4149d996c3eb094eddeaf77d57d50c4315fcda961b54e291a4
SHA512 63425394e819974715ae6db676d06c5b26661d0d0782de5e434af7f85599ab3ccbe628eb3b3e2487b10a49170a428d63c5a2660dc040254dd443b72dded6f0f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4499186c67a361050a57bb5518ada09f
SHA1 140fd97b5ec45450e8079f6f7dea537c95acb0cd
SHA256 8749870bd079ab6efa9b8b6e6b14a070b966ee9af9df7c7007fe8c29674282f3
SHA512 e6f833f9a6a46966314db18664a0c2f82b203c790496ac162e9e1db3af5de56fadbe128c17e59621221de4e528036960357b74ed951db6b337295f57e36d6101

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5c9540ef2d045a838005faf063d089b
SHA1 82a57fb89ee4dbdf8c5c3de44d3a5e703ca3b9c8
SHA256 9c8417eb1b319532c9465fea48d3f082b1321e373d23975fea335682690c82c9
SHA512 a93f2289dee29d357fbbb802954b227921dfde25db36a8fe74bb1b6b59241ac8b93183098c6de1ac5a12339a044cb197a8c96738e1f98242e7e0eb183d0b5fa4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27a4b4f8594bf44cd81cd497c2114b85
SHA1 0ea7172fdbe5f31a0a7042f751b4fd2c3eb40092
SHA256 99ca44ae86919f4670c3e8a968bc3e889797779b48b19fa7096158674f128998
SHA512 af646a51edbd22cc4b0a5f297b1f7a28f11817651d8db8607a103ec28233538a8e4acc73a7a377902bd88b94acc0f58789118ec63d461090e0e0fec4530f22cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fcaebcdf797315b831e14ea99b1ae20
SHA1 aa7d7fac02b77d4995fd7d69bedee27927847b9a
SHA256 3ecdbdd4b50e5e55c6acd68e7bc5872c7aa47d67434f326527b0c76c2dad615f
SHA512 75a097df71f984154737a75d36c963a39ded881b8f35aa872bcea90ed2881d011ba0fe11ec1033fdf51a71a1e21686988930030c4a805b0e1f4ad6d6a71006cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffdbcc315fb95ebeb8b9e558e6aba3cf
SHA1 030bdf56237958be4850b3c518adbfa92e3d7aec
SHA256 76c80cf00b4238538003aafbd94a32e9844a3992a9dc2729213b6c0f16f5e5f7
SHA512 20aa600e8f1bc7cb7de6355998d22c446405a17cb3054b153d3267f60d7e7c65a1d7f0595a56692c561660596db5289b7a50e1e9543a4754063e9ea63fa365c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1c32b73cf282c207180d6155a1675b5
SHA1 5e30c482a01462280734da9d7fca2b7084fced48
SHA256 102aa3fb753787527675bc187bd6a30e6703ea201a4b471847d1c1914d5d28e7
SHA512 77aaaf2d1d3dfb6a7ad3da8e743235734de064345c8ae436314d264e8a4eedb131cb06df1e47383f079bb99e8a5e12868f71209060390380b03c0bdb6df0c83e

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240419-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\XSpammer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\XSpammer.exe C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe"

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe" --type=gpu-process --field-trial-handle=992,14382622926912950555,6883120070423428507,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1000 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=992,14382622926912950555,6883120070423428507,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1312 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe" --type=renderer --field-trial-handle=992,14382622926912950555,6883120070423428507,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1416 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\XSpammer.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer.exe" --type=gpu-process --field-trial-handle=992,14382622926912950555,6883120070423428507,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1000 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.186.142:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r2---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.103:443 r2---sn-aigl6nz7.gvt1.com tcp

Files

memory/2628-1-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2628-33-0x00000000777E0000-0x00000000777E1000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20231129-en

Max time kernel

117s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\bitmapimage.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\bitmapimage.js

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

164s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\bitmapimage.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\bitmapimage.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gif.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gif.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 4020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 228 wrote to memory of 4020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 228 wrote to memory of 4020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240508-en

Max time kernel

118s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240508-en

Max time kernel

119s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\templates\README.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\templates\README.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240226-en

Max time kernel

131s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1592 -ip 1592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 1132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2112 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa33a346f8,0x7ffa33a34708,0x7ffa33a34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8566846218510899327,14804219544076551426,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4136 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8b167567021ccb1a9fdf073fa9112ef0
SHA1 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA256 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

\??\pipe\LOCAL\crashpad_2112_LGRHRHAZKFHBUKGR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 537815e7cc5c694912ac0308147852e4
SHA1 2ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256 b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA512 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 75ed13a091cd429b4514dc1dc39e9f93
SHA1 a7d8f1e268110b1ac8e1c6bd49a58f33e97d809c
SHA256 85d52eda50a8a0ae944c764ecd2e931e2eff97fcbf1eabe1b0ad7cd3077a15ad
SHA512 15fa78918352739523001a05b46a0e0b4ef2a484f06f6f42b5e0228751071c91e78f1db6de06610fc38bd951feb43467f3f3df1656557d4a526be7d878a98b53

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ac637aa8aeda6477671b31782a76f613
SHA1 28a5eb95bdbc2d8cd5c40a8b8f3cc0faf8b7a22f
SHA256 2494cb36691ed1b820e852fa492161a44b80c5db183efcbb099cfa9c5387b637
SHA512 0c2137c0174160cb186967a6ec11309cfb8a36be34a413cc94f4b6ecc7021df33c776c5f0f52f5a3fa1bc6f28e566c7de20d29e49770023f403cdcda0b9c8c82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b6efcb9a8e4d9a9287c957a724524d7a
SHA1 682177f5d6af06180aa00cb38c186c05c5b5b872
SHA256 5852047cac52c3ac23ca28cfba1eeb9e3a7af2a64d8670efa07597152b247e1b
SHA512 00427cf63297cb7863dadd4c31c6879e241f5cffe4dae40cfd3fa6252d85854288fbe8869ba84018bedd6a6db7b54b0872b4ff48478b647bd8fa401df87ff673

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifcodec.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifcodec.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:58

Platform

win7-20240221-en

Max time kernel

118s

Max time network

137s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifframe.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifframe.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:58

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

176s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifutil.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifutil.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 13.107.253.67:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.184.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.184.250.142.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\templates\README.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\templates\README.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240508-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy687F.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsy687F.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsy687F.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240508-en

Max time kernel

121s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gif.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gif.js

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240508-en

Max time kernel

121s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifcodec.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\gifcodec.js

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240419-en

Max time kernel

122s

Max time network

132s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\gifwrap\src\index.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win7-20240220-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 22:52

Reported

2024-05-10 22:57

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1804 -ip 1804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A