Malware Analysis Report

2024-12-08 03:06

Sample ID 240510-pfd8radf9y
Target STALCUBE_Setup.exe
SHA256 2dca48bed9340c1d9a6688a5a40099fde66a5ab20caa8ef6c3ca7a2bc543f1d4
Tags
privateloader discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dca48bed9340c1d9a6688a5a40099fde66a5ab20caa8ef6c3ca7a2bc543f1d4

Threat Level: Known bad

The file STALCUBE_Setup.exe was found to be: Known bad.

Malicious Activity Summary

privateloader discovery execution

Privateloader family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies system certificate store

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:17

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

131s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 3800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 3800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 3800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

116s

Max time network

138s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

134s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 2164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4188 wrote to memory of 2164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4188 wrote to memory of 2164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 56.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

115s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\cs.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

130s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2564 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2564 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

133s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

130s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 4264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 4264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 4264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

131s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4824 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4824 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

129s

Max time network

138s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ca.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

128s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\de.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\de.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

124s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

127s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:30

Platform

win10-20240404-en

Max time kernel

51s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation C:\Program Files\STORM Launcher\STORM Launcher.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\STORM Launcher\locales\da.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\resources\app.asar.unpacked\resources\icon.png C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\am.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\lt.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\ms.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\ta.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\resources\app.asar.unpacked\resources\background.png C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\v8_context_snapshot.bin C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\fil.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\ml.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\pl.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\kn.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\lv.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\sr.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\te.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\uk.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\ffmpeg.dll C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\resources\app.asar.unpacked\resources C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\af.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\ar.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\en-US.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\gu.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\vi.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\resources\app.asar.unpacked\resources\version.json C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\resources\elevate.exe C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\LICENSE.electron.txt C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\el.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\es.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\nl.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\resources\app.asar.unpacked\resources\version.json C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\LICENSES.chromium.html C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\bn.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\mr.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\mr.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\nb.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\ru.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\vulkan-1.dll C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\ar.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\fr.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\libEGL.dll C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\fa.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\hi.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\nb.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\Uninstall STORM Launcher.exe C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\tr.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\ur.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\cs.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\es-419.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\hr.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\pt-PT.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\sk.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\vk_swiftshader.dll C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\am.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\el.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\ko.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\lv.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\sw.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\locales\ur.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File created C:\Program Files\STORM Launcher\locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\chrome_200_percent.pak C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
File opened for modification C:\Program Files\STORM Launcher\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files\STORM Launcher\STORM Launcher.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
N/A N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
N/A N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
N/A N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
N/A N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
N/A N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
N/A N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\STORM Launcher\STORM Launcher.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 3212 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 3212 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3212 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4380 wrote to memory of 2012 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 2012 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 1292 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 3052 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 3052 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 4988 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 4988 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Program Files\STORM Launcher\STORM Launcher.exe
PID 4380 wrote to memory of 4544 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 4544 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 1832 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 1832 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 4420 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 4420 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 3128 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 3128 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 1096 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 1096 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 4664 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 4664 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 4488 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 4488 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 4576 N/A C:\Program Files\STORM Launcher\STORM Launcher.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\STALCUBE_Setup.exe"

C:\Program Files\STORM Launcher\STORM Launcher.exe

"C:\Program Files\STORM Launcher\STORM Launcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Program Files\STORM Launcher\STORM Launcher.exe

"C:\Program Files\STORM Launcher\STORM Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\storm-launcher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\storm-launcher\Crashpad --url=https://f.a.k/e --annotation=_productName=storm-launcher --annotation=_version=1.6.6 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=22.3.27 --initial-client-data=0x4b4,0x4b8,0x500,0x43c,0x504,0x7ff68c2f1898,0x7ff68c2f18a8,0x7ff68c2f18b8

C:\Program Files\STORM Launcher\STORM Launcher.exe

"C:\Program Files\STORM Launcher\STORM Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\storm-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1720,i,12984456867602891563,10372347935525172041,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\STORM Launcher\STORM Launcher.exe

"C:\Program Files\STORM Launcher\STORM Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\storm-launcher" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1980 --field-trial-handle=1720,i,12984456867602891563,10372347935525172041,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Program Files\STORM Launcher\STORM Launcher.exe

"C:\Program Files\STORM Launcher\STORM Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\storm-launcher" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id="STORM Launcher" --app-path="C:\Program Files\STORM Launcher\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2148 --field-trial-handle=1720,i,12984456867602891563,10372347935525172041,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""

C:\Windows\system32\findstr.exe

findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"

C:\Windows\System32\reg.exe

C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 launcher.stalcube.com udp
US 172.67.149.107:443 launcher.stalcube.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 107.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 lpcv2.stalcube.com udp
RU 89.248.192.142:5523 89.248.192.142 tcp
US 104.21.29.153:443 lpcv2.stalcube.com tcp
US 8.8.8.8:53 142.192.248.89.in-addr.arpa udp
US 8.8.8.8:53 153.29.21.104.in-addr.arpa udp
RU 89.248.192.142:5523 89.248.192.142 tcp
US 104.21.29.153:443 lpcv2.stalcube.com tcp
RU 89.248.192.142:5523 89.248.192.142 tcp

Files

\Users\Admin\AppData\Local\Temp\nst7512.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nst7512.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nst7512.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

\Users\Admin\AppData\Local\Temp\nst7512.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

\Program Files\STORM Launcher\ffmpeg.dll

MD5 00ffabbb9438a0da15a021451a9c2d0d
SHA1 4bb79fe2b09962c6c46b70d7dfb1f9d9604a22dc
SHA256 aad7e7ac9d74ac18892801950c9728e9c4eacd3b676cbb5d6f63382da2ce0559
SHA512 989d8d0afd3ce64c65a90d1046f28b19e5b125f8b5a565b76b8c950d152d3b9a57d68126888321c7cd8a4985249c1ec649c453e7501aaa4ff60d9662afd85f34

C:\Program Files\STORM Launcher\v8_context_snapshot.bin

MD5 6503b392ac5c25ff020189fa38fbaecb
SHA1 50fb4f7b765ac2b0da07f3759752dbc9d6d9867b
SHA256 add78f3f85f0b173cbe917871821f74c5afe0a6562462762b181180d16df4470
SHA512 9c12fff1686845a2c0b43d35a8572f97e950f232f1ce5690fd1212f48c171edbcc5d725754f10a66599b0823ac0c995c7212e263b7e02ea0ed9f2d2b937fa760

C:\Program Files\STORM Launcher\icudtl.dat

MD5 76bef9b8bb32e1e54fe1054c97b84a10
SHA1 05dfea2a3afeda799ab01bb7fbce628cacd596f4
SHA256 97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3
SHA512 7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

\Users\Admin\AppData\Local\Temp\30955faa-c569-433f-b99e-e1f41f34c19f.tmp.node

MD5 c240618c0891cebcf8cdaf9f1f7f984c
SHA1 c1c699d524c7c054aeea66359cd8dbee93106f8a
SHA256 62b74c72fc05967f4c091c7d5c6622e5225c36568ad940e211dabe699d5dece5
SHA512 9979bd0639d5d9fec81a7a9ed81176505811ea480483d09eb67b5c27a7551df851b107217196cbb70a107037ee6f39f653856d035c0976f750ac7086a73e7fb9

\Users\Admin\AppData\Local\Temp\96029a3e-8e59-4051-b4d0-1a21916f2bdb.tmp.node

MD5 590e5615966fca54e4d060d06dedddb6
SHA1 f1e4a7e16cbc9d48df5d584ddaa5a66b8fe9e59e
SHA256 9dc1b9f4af4267c0a0408293cc31828e1ae367dfc61e33de8372e04247475576
SHA512 33dc442f1e77cd1cb76a7fbc055c3693f5f0447a33edc2743d27a8edffbc5a52d110f9b18664e73e729fd51052fb3b1394dfa6b99cff1b165f54ba2be6985c16

C:\Program Files\STORM Launcher\chrome_200_percent.pak

MD5 5604b67e3f03ab2741f910a250c91137
SHA1 a4bb15ac7914c22575f1051a29c448f215fe027f
SHA256 1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c
SHA512 5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

C:\Program Files\STORM Launcher\resources.pak

MD5 f5ab76d2b17459b5288b6269b0925890
SHA1 75be4046f33919340014a88815f415beb454a641
SHA256 4f29587bcd952de1dbc0b98df0aa506bd9fcf447e6a7258c5eb7e9eb780e6d6c
SHA512 6ec6a08418743adb5e20218b73169be4f45f5458592219497c3718e620e37871876788937418f1341e0023c1137f9cac715e6bb941f4690febdda993b072feab

C:\Program Files\STORM Launcher\resources\app.asar.unpacked\resources\icon.png

MD5 3a56f2992c572514c0cdf127b177be03
SHA1 2d1f9cf8651de5e5bb9c362126cf28994d0a4938
SHA256 4479baa1b50f13d86d651dbe07c1bb042e30ca2dd0f27993deb5ce71d027a17c
SHA512 df3ca67b797cfc2adb3b12099aa7271a9c16f6fff20f88e5811c960bb81c07350ed7b3648ad41029bdf2cb940011eed1da583384314fe330047c5f634274b818

C:\Program Files\STORM Launcher\locales\en-US.pak

MD5 3f6f4b2c2f24e3893882cdaa1ccfe1a3
SHA1 b021cca30e774e0b91ee21b5beb030fea646098f
SHA256 bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f
SHA512 bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

C:\Program Files\STORM Launcher\chrome_100_percent.pak

MD5 d31f3439e2a3f7bee4ddd26f46a2b83f
SHA1 c5a26f86eb119ae364c5bf707bebed7e871fc214
SHA256 9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e
SHA512 aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

memory/1292-260-0x00007FFB77F70000-0x00007FFB77F71000-memory.dmp

\??\pipe\crashpad_4380_JMBWSGFOQJURSLIW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Program Files\STORM Launcher\vk_swiftshader.dll

MD5 afb174ccd1abb292da14779a079d4282
SHA1 ddd74e61c48c4445f1b3fa886b7c28b0de3f1859
SHA256 a32c3fbbf74699a10e7642bf4901191f29c88c5aec93ae7ba28c79ab28462a69
SHA512 fddd4d70dc6b8d424adfa509ad145845d13d898eaedb1706de357cf1dcd4eb25fe581c9dc58c1de0954b1a10b232934d219563a1e2e8ed1bc01412bfc789cbfc

\Program Files\STORM Launcher\libEGL.dll

MD5 ef4291ace01485ee773183ee3c1ed5c4
SHA1 9c9d32813a733ebceb25c0dbb9f85ef27f6e0a0f
SHA256 85f238fb7ace3cbdf7c29c72b01307c440f13491b07a509cbc5b9f257a637164
SHA512 a98bfe1845a712943687f0b20d1904bae1b6836ea37f8a2053872f938dceb2f391fadd3db034c0b8563c0b1ab3d4506d13b613ed51780ef10e813c085c830f82

\Program Files\STORM Launcher\libGLESv2.dll

MD5 60e42e83b260582fc96aaf43293d99e1
SHA1 c548a10873f9a57e18c7fbb1fe89685f4cf1ba84
SHA256 25d49934fc220b169cadeb21fc99dc2a8fb1dd5a4f244265799392f0f5f2f8f8
SHA512 6a905e2b9427fb6e4a53080afdc2ae9dc32c54aab5460f88f7d3fd16e7e9a841d332057f58942d54defe91361a54d3cbedba295399cead754f353f80f92f238b

\Program Files\STORM Launcher\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Program Files\STORM Launcher\resources\app-update.yml

MD5 4fd62c9d1f06d928795d92ef53da3810
SHA1 02b1960183afdae29e70d2882a4136c72b147621
SHA256 bb6f0f36eae221c85d57e8c9726646e3ee3040024abf5734fb72ec01d4e9728e
SHA512 490fb307fce8f2787d6a4f6ae7687799df0ce96eb2d169adc954a4dd98a8fde98f7b2ae9df2ce160eb854da5495013b92fac871d1b073ebf591fb8ccfaed0184

memory/1832-356-0x0000016A0B040000-0x0000016A0B062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lyvv5rqs.lm0.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3128-404-0x000001EFD8290000-0x000001EFD82CC000-memory.dmp

memory/1832-495-0x0000016A237F0000-0x0000016A23866000-memory.dmp

memory/1096-755-0x00000201B6D80000-0x00000201B6DA2000-memory.dmp

memory/1096-736-0x00000201B6D80000-0x00000201B6DAA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 900713b658f108100bb7aa144134dbca
SHA1 7a05dd4d5cd03542c5187c8a3036f30b9d79daf0
SHA256 c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8
SHA512 85a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 80ef418749393790b80930b9d1b1ed38
SHA1 baae03cf53c24cb4b4e16618f69dd770e75b17f5
SHA256 a9116390b696f61a4e6fb4887cc9e1cd896c2dbdc92693d247ccaa3ee590cfbb
SHA512 935c42409d95d6e35082cdad292e85d938988c5957e05b81c7473ce7b149457b3d47047c1eeba985d4b1f87b240cdb426537989d4dbf2621143c2090df2abcd1

C:\Users\Admin\AppData\Roaming\storm-launcher\24247cb4-a715-41e3-a837-67382fe9b0be.tmp

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

129s

Max time network

145s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bn.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

128s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\da.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

127s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

135s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

125s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ar.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

125s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\bg.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

120s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 4884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4488 wrote to memory of 4884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4488 wrote to memory of 4884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

131s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 4960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 4960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 4960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

126s

Max time network

141s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\LICENSE.electron.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

123s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

129s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\af.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

125s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\am.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

130s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 2412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2564 wrote to memory of 2412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2564 wrote to memory of 2412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

132s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:32

Platform

win10-20240404-en

Max time kernel

125s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

128s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall STORM Launcher.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall STORM Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall STORM Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 1dadcafd36b1d19410b1e0c02e28c299
SHA1 611a84ea0d719f25159191baac1703cd5b97aca5
SHA256 382a74c30c22bb4b1d5d72e7e76afe5229ba5117b48b0a01bfa0acf102a3230c
SHA512 5c80404949ce44dd54bb802bce48e28939f968e06025a999d9cb29ed6fe6d1a38cc8021f000ec2ca2fe19c3d8086b683ca53055597c203e5ab44ebf111b5b37c

\Users\Admin\AppData\Local\Temp\nsj900C.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsj900C.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsj900C.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nsj900C.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsj900C.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-10 12:15

Reported

2024-05-10 12:31

Platform

win10-20240404-en

Max time kernel

80s

Max time network

82s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 360 wrote to memory of 228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 360 wrote to memory of 228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 360 wrote to memory of 228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A