Malware Analysis Report

2025-04-14 01:48

Sample ID 240602-2bckksac39
Target Battly.Launcher-Windows.exe
SHA256 148ce8730207f9f7f82c54eab0806ea229038f3e8deded31929b5510460f7d61
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

148ce8730207f9f7f82c54eab0806ea229038f3e8deded31929b5510460f7d61

Threat Level: Shows suspicious behavior

The file Battly.Launcher-Windows.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\package.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\package.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\package.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b3ad262ecede8f0f20d1d59fe789b824
SHA1 9efe73de50bfad9c0ce4d5bd2807ef9b60fca562
SHA256 47585d8c0daccdc5cecff8091a26b35ed61b875e880ea53e326eb482c9d46898
SHA512 0ae65c48f6d7da99490d95449462d79326ae6df2f806baa8e15e7ef4537e5a1e4f0120cf9b9dbc1ef7eb1921de2b47bca512d1e3fbbc17392990a714e69084d0

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240508-en

Max time kernel

120s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\package.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\package.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\package.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 738c7f6535e0b49302669cfe26547bf6
SHA1 3326d4727265aad07cde9a67ae4118f8f41950dd
SHA256 781fb8fe1e519444852e691602fe51c20bcca743dba30f7ffd631588914b8184
SHA512 6f4290a94230ba5bf998e3e082a8a06b0b9156bacaa4162c20a6dc08d59e346128abba40ca5935b8801dd8004342b60a5d13a08aace6a01c7af6ee43959a9629

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\license

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\license

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20231129-en

Max time kernel

120s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\license

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\license

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240508-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Battly.Launcher-Windows.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Battly.Launcher-Windows.exe

"C:\Users\Admin\AppData\Local\Temp\Battly.Launcher-Windows.exe"

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd3064.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsd3064.tmp\BgImage.dll

MD5 487368e6fce9ab9c5ea053af0990c5ef
SHA1 b538e37c87d4b9a7645dcbbd9e93025a31849702
SHA256 e27efa5dfde875bd6b826fafb4c7698db6b6e30e68715a1c03eb018e3170fc04
SHA512 bb3ed4c0d17a11365b72653112b48c8c63ab10590dda3dfd90aa453f0d64203000e4571c73998063352240e1671d14da5ee394439899aaa31054fa2e9b722ea7

\Users\Admin\AppData\Local\Temp\nsd3064.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\ffmpeg.dll

MD5 bf09deeeb497aeddaf6194e695776b8b
SHA1 e7d8719d6d0664b8746581b88eb03a486f588844
SHA256 450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080
SHA512 38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ansi-styles\license

MD5 915042b5df33c31a6db2b37eadaa00e3
SHA1 5aaf48196ddd4d007a3067aa7f30303ca8e4b29c
SHA256 48da2f39e100d4085767e94966b43f4fa95ff6a0698fba57ed460914e35f94a0
SHA512 9c8b2def76ae5ffe4d636166bf9635d7abd69cdac4bf819a2145f7969646d39ae95c96364bc117f9fa544b98518c294233455d4f665af430c75d70798dd4ab13

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\async\inject.js

MD5 724bb52915e1158b4dff6f26ef4baf72
SHA1 ad0aa6a0ac5576433051167524923e6aa794c96a
SHA256 f1e4594194164d2504946c85c8e983346b25f9be8239178defec27e912b56c21
SHA512 657c3dec82c5c6c34accdbc9d96e2be59a592e60241960810f10a662f5305c21dcef8cf006fcdefb0d48d30ccdd30d9dd6c263c089a88591f18a83a2f390eaaa

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\js\index-es.js

MD5 ca5f26a1bca7d0379bc07aa2196b9ae1
SHA1 384fd58e544cdc1d246e0b5077ebc1fc8e77800e
SHA256 7b84738f06f865a0bc533041e12acc8e2c651f153b8df96ca0a43956dddf20f9
SHA512 ef19bb165a47de0625499919db32788f7ee8ba563210f525fa7db074b8521345a6e0bc35cf2d51daab7fcc9441dfbb8623f19b34b4ce3fcdd6f65c6173bdab35

C:\Users\Admin\AppData\Local\Temp\nsd3064.tmp\splash.bmp

MD5 53b029ccb83951c0f232fbcde874b403
SHA1 c6c57b8b7eac7c0f3b7ecff5d4b2a4c1de4d326f
SHA256 4a3a74bcc1da624c51860bf3dc2333230cad7c961414e015a987e204f6447461
SHA512 514d3e5e925ec16db2ab89d71b34c95ea76f5679dfc4fc2e759c0e982d08660b5ca9a76bbc814ed3335b461ac9e1bf82de2b88dc988f4378e3a974cd59485acb

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240508-en

Max time kernel

119s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\LICENSE.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\md_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.md\ = "md_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\md_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\md_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.md C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\md_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\md_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\LICENSE.md

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\LICENSE.md

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\LICENSE.md"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d3378b648714122651a5488373b36962
SHA1 255918db2394ef95b167396b8193068996e825c3
SHA256 c03f7ba313ad0f8e051258150c0b743484ecf9f7b326212027e2f97fdad01edd
SHA512 4f3fac1408816373d90d54f252bb27a7b88ab0911b66988c93954a878f3cdbf852eb8810473f7c8dc0414e01b8957240212afebce95997d1e96f6c1a578bfe1b

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240220-en

Max time kernel

120s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\license

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\license

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a5a4321566ece7c4120f6a1e9db5fa77
SHA1 df232e9605950b8a3488c188e88bc2d888c9b781
SHA256 639411c90709545e17fff7e0e8ffa0224f1e3be6cd6f0154a8d60df4e1af15c8
SHA512 2941353146d788d113726e5aac83f7caafcef950a6b2191e36cf6d7ab6f8d6f5d27c9180973018f36e1d94de41ba25c9bd7fdba62a0ac4e25ec2dd56e2197420

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

159s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\package.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\child_process\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\child_process\package.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

183s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\async\bower.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\async\bower.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4948 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:32

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

179s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\LICENSE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\license

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\license

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

162s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\package.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:32

Platform

win7-20240221-en

Max time kernel

118s

Max time network

143s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\LICENSE

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

164s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240508-en

Max time kernel

117s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\child_process\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\child_process\package.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\child_process\package.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\child_process\package.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0dbfc5dcbbb64b108963297e800054f7
SHA1 058c18c4c46db22926fa98182b2b643322e8779f
SHA256 6152676b0e3c85a3fac46f426c782ae2abcac0b3e034b898d135902188e1fe2d
SHA512 d21a70e163e1b84bfad77bb8b46bf3c45dee218e88d26feb7143b1c74eb233d99780cf09d0ed26d227f89bca25e1e07d1bd1bd7a272be584450fd84c77374465

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-convert\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-convert\package.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240221-en

Max time kernel

121s

Max time network

141s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\async\bower.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\async\bower.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\async\bower.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\async\bower.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e905406888d6c166d918887a35bba79d
SHA1 8311ba472b9ba4e6f753fbb1ed538e153a7e603f
SHA256 82d8c2a5f962acd68e8b4f45a75b4778be527978b889cfde80d360e74c377e6c
SHA512 18714afd026a6caeb962dc4f8d8f91b310c21ebda00eec86b8aef5ff23a1ad9db9cf870d9a4b9059692cec026305c66a0a147d410f9678382d283ce089c21e09

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\LICENSE.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\LICENSE.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

143s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\package.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\package.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\package.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 89dd36a144e21816503403c7f1596501
SHA1 fa860448eb817d5a9d79f50526452ee7e00c07aa
SHA256 3abda3c053968e939ce29ca7d620691e9cd48ad4e8c1357d638ea281f5f88412
SHA512 5e0e801e981d6c4987c4146d1cbeaa9e42998362d8f4f945e0558d57f482282705a182c40ffe5f8df0abb47e8ea77df5407cbbeb9cb706c73185794228c4c859

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\LICENSE

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Battly.Launcher-Windows.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Battly.Launcher-Windows.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 1612 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Battly.Launcher-Windows.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe
PID 2840 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Battly.Launcher-Windows.exe

"C:\Users\Admin\AppData\Local\Temp\Battly.Launcher-Windows.exe"

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Battly Launcher Installer" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1704 --field-trial-handle=1708,i,13933249488732519170,17832905954752110629,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Battly Launcher Installer" --mojo-platform-channel-handle=1948 --field-trial-handle=1708,i,13933249488732519170,17832905954752110629,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Battly Launcher Installer" --app-path="C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2428 --field-trial-handle=1708,i,13933249488732519170,17832905954752110629,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\Battly Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Battly Launcher Installer" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2408 --field-trial-handle=1708,i,13933249488732519170,17832905954752110629,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu6B6D.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsu6B6D.tmp\BgImage.dll

MD5 487368e6fce9ab9c5ea053af0990c5ef
SHA1 b538e37c87d4b9a7645dcbbd9e93025a31849702
SHA256 e27efa5dfde875bd6b826fafb4c7698db6b6e30e68715a1c03eb018e3170fc04
SHA512 bb3ed4c0d17a11365b72653112b48c8c63ab10590dda3dfd90aa453f0d64203000e4571c73998063352240e1671d14da5ee394439899aaa31054fa2e9b722ea7

C:\Users\Admin\AppData\Local\Temp\nsu6B6D.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\ffmpeg.dll

MD5 bf09deeeb497aeddaf6194e695776b8b
SHA1 e7d8719d6d0664b8746581b88eb03a486f588844
SHA256 450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080
SHA512 38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\v8_context_snapshot.bin

MD5 81870fb2f641c8b845e9c6d1a632f0b7
SHA1 fcd47d8d1232c189a1c4087bb03a015ce14c25ba
SHA256 875515af4e7254458c17a98bed087fc609d45fbc8ebf60663e112c37204f6840
SHA512 7748c8fb6f356aa45023a56245c43c5171d0413617fb1ac6c75650be75bbe94bd5528e9aa83cd9df9a08af65540a76ab59bc866e5dcf0fa7284122f290bd45d3

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\package.json

MD5 e102ea0d9f0e36be31e25b787c35ca2c
SHA1 022ea237f37e95570872a64ba6af1e2f63cb0dab
SHA256 9f66eafe35c475aaba1157c877406f448273c6e4811a1ef2fce10aa0d5eee706
SHA512 426e0af432f24562e548bf53ea972636c494f0c5b840b9e6affbc40f32fdb9de3cde3c4fd83d9a221eae9832a42631b2b178a3d46f1b2a56d1a82978fe32fc51

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs-electron\node_modules\mime\types\standard.js

MD5 5119196e906ee770dfd3610bcfbd0587
SHA1 a21f9b1eba88b1af8d16231a5759ffb8108a645c
SHA256 70aaa6f9c1b7caf38db2eff138406911368729b8dfb478fe70078e46ec1824bc
SHA512 30d30134c1044d36bf4ffd93cb0b6f003cb702a14b9e006bbc9a18a7e9e6915f18c22eb0b8bcfb5cae6cc15636726e0d8ab59189610550140ac90e51f45c324e

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs-electron\node_modules\mime\Mime.js

MD5 5a77829e31fd521878c9484a90ff107a
SHA1 73efaff8e2e9adb871396c15c076dbf28757949a
SHA256 9482411a27e56e69e9ff5ae077b25f64c38768ae268ac07ab74a9896b582b6a9
SHA512 dc542b656f18818fc5caab6bebaf67f2f33691661196fd588eeba8bb8d1520ea61f76df314d407e0e23b405706889f0e73f0bc61871a36764d2c3564a44b1c35

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs-electron\node_modules\mime\index.js

MD5 f18d3eb05bbc4d65415ee72c4b5d4dff
SHA1 e2d3efd8917c4ff9cbe668474891269d3fedcb37
SHA256 7b35e6b3b981b498b62860b99063916772a7a199125866d4593db952ba1c14b9
SHA512 65316d6a06666e5acdb6fd293fcb737109a264fb6ed1174e7853f86b32d2b334fab3280d28535be21524fa15f86bc8f16b663461439d6bdf4ead0cba4b297eb5

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs-electron\node_modules\mime\package.json

MD5 41460dd956f1244d052cbe727cb6be27
SHA1 4982079e4fc60559ed7fa2c066bf71fc7b74d9b4
SHA256 a1dccf7b9e97739c70cfe4a205babae71016a576f4385a8d66308978f21e0d19
SHA512 4e273dcbe5b5bde34c1ba8c0bf35251037b058fe3eef5703e53027a53b9f6661db97411be2ae2e7b4353adf5d77bb389566a81258adb8f11cac679ee6450c978

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs\lib\utils.js

MD5 c4ed9f400aaac2c0b2ebe7c7f5795b1d
SHA1 4e88b60293299d879774768f84cf38524c3d34c3
SHA256 d77d4660b6fd5131949906b67fa4456223c308bd13a88d7dadbd2e10e5e7ace4
SHA512 100faa0f015ba8001eff8dc435174dde0af2d8717976448a3202272e7d0edde3d149f0a0acc6469f8d86fa0b15b79237cc1ffd5efb9456e0bbb625e6cfd53242

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs\lib\ejs.js

MD5 e7286ffae51527e51efadb4ce65d1dd8
SHA1 2170a351835c1ff3ef58faab251e3d5ce5dfe9d6
SHA256 9ff1cb7fb0a7dbd822e04d35e50560a199926cc323b5aa11f1e89556d7b89814
SHA512 5a551b8ae5dc38eb4893acb2876046ebe27ed3852777b7e832173bfba8d5470b08495232811a82edd0662634bc6351e51d7d3509c87663900ca122a15e1d50e7

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs\package.json

MD5 c811f299cfedf923d32f6126894283b1
SHA1 4d25c24f5ff44f2963d08d74d474b03127c02ecf
SHA256 ba32b2005d817a23dc0e0b57c248b53b8b0316e8271fa433780750a954d56e69
SHA512 ce77756d8c128eff055923c6622f3b438a3eba87513fc6d962180b93762cb325c5b96c89e05e1df4a7ef227d35ad1de659d28c893742c5a1e8912b365b1a3fcb

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs-electron\node_modules\mime\types\other.js

MD5 ce7fcb8480cc926c86d46e4b1fb6cc9d
SHA1 dbfc26ed679cce39b3ecb6bee5ef5968cea6408a
SHA256 ee0e65cdfde6e492be9c52e35bffcbe0e0fd9a5be1a18fbaa7cbbc7b9b406934
SHA512 c5c943a1722aa52c3f85f28189258ebb4e3ed025c98bfa0d7ce978de2587b10239c578d5d96fb63f85bd8ec16d7d156847268cc14421cb920832688984fc0cc9

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs-electron\index.js

MD5 d441fba9399d196f943308f66d215d95
SHA1 76557f8a00782c3503b62784098b7832256c136b
SHA256 4574224bdcf1a47aab456dbec7b485d7cb8bd62bea5295f85db622b3ebab0c1b
SHA512 7f11d59d870c0ae386b6c0ae4a65b2ab49445ce8b36528323bb2a03a8a55611c8e71d2c7439f0a57c69fb7cfdc2d05fde59e535e0da36adf24947a131db18a0f

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\node_modules\ejs-electron\package.json

MD5 381be2da7b731d7e9f68c149ef521e46
SHA1 11f4eabe7d5c1236c02c9c6e1ef2e8f58226a2e3
SHA256 c30372a8a6ef7a7cf021a48200d7ca770ca5ad68022e92c6d15bd27878dc326a
SHA512 0595738800f268106a61f3526448bb1c89ed37db1950d00b7fc1f1d2874cfcd1bf7454b49d757614543caf756407d6594e2246f68d6916db51553c95e22c4f01

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\index.js

MD5 c5cc3d4ff4268a128ca55321b7ad4f70
SHA1 87a0ad54e6b73a40fd5cc7e801603aa50e4ea973
SHA256 79912a218664d36de8b3f1adc69b43b2ccb67bebe39a3d38666bbbf4173cd411
SHA512 f55a303b010129a6b342e62b9a9d4e32297d7648c3054ce40d26d939cc7ef776d42438ce78d93a4897f5a6679a1477d2590e152dc601d174e53fffe8010f0e1b

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources.pak

MD5 67bb5e75ceb8ced4c98cf0454933cb45
SHA1 c2b1c8c8d753318bc5ec18762c27512a5eb9f9cd
SHA256 5d63acd4034f7771ca346d138d7478014abf1f3f4386d07fc025dbc2c2bc0bff
SHA512 fd213d59ebc625f6f8b20cc8fde1a22132ce827b81deaddb9ca7993fe0d9616de17e089def338d23c4b6bbd7d3a931ee73aa329325eaa17f8145a58fe11d8c38

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\locales\en-US.pak

MD5 731c45f9f23957acc11b43d775758aaa
SHA1 12e66417a2dc0c5211ed67f026208ef02fcb40af
SHA256 02b97817b6eebd7caeaaff750f6462abc68911c398ddf0571b7900ff9b4ea9a2
SHA512 1a008df585ef76d9cf4459fc3e617b8d4397e7078c77852712fc7cf4f304081bc5195243437e64074016b05a8cd671db93666042e59b959595ba854ceb330a81

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\chrome_200_percent.pak

MD5 e02160c24b8077b36ff06dc05a9df057
SHA1 fc722e071ce9caf52ad9a463c90fc2319aa6c790
SHA256 4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106
SHA512 1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\chrome_100_percent.pak

MD5 b1bccf31fa5710207026d373edd96161
SHA1 ae7bb0c083aea838df1d78d61b54fb76c9a1182e
SHA256 49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3
SHA512 134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\index.ejs

MD5 5cb43b3d3c087f4dfb7ef3604a39e757
SHA1 62796be76ccb921544aa6279dd0139b00450e24a
SHA256 88b3b17146349c92955cc88bdd70ef1fa414bf624d771a0b8ed0d7f2d40d76cd
SHA512 b5247488c6dbd4f682d27884f3b516df00ad6725665f79c2d4ea76c1a54d318a31e32c6f96a11fafc382d36097e50f505e0cba904e13b4d45afa96544401eb81

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\vk_swiftshader.dll

MD5 0a071201e4dd76996e273c81533bfa74
SHA1 5c92c634027692c344a8e74eab8b4d5c3e049497
SHA256 08e34bc25653f9357a4ccf62966d698b7cc6265dc668046a28403ae5786132ee
SHA512 b5de6548c5c743b6f119183fa06aaf67dcd4cdbc3542378ff87916b670ace1e2f4270f6dcaa4caabd01460c638bd02b565267e7bd9617ca92d72187d374bb7d6

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\libEGL.dll

MD5 3a5cbf0ce848ec30a2f8fe1760564515
SHA1 31bf9312cd1beaedaa91766e5cde13406d6ea219
SHA256 afef052c621f72ba986d917a9e090d23a13f4ab6bc09f158eeb73fd671b94219
SHA512 bd5713e1d22145b4cc52f4e46b464f443aad6f783a5793268e7d9dca969f27b70e706eecd54cb01be1c94256e6a95864c6b7e50027cef7fa870cdb16820ad602

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\libGLESv2.dll

MD5 c783045e4b7f00c847678d43a77367f7
SHA1 7f9192ce0b23ac93561aeec9d9c38daa3136c146
SHA256 3a39137dcee6cb6663ae9cca424b6b05cf56c0ad7e32fb72cb94549ea9dbcae8
SHA512 64e6d4fc84f1217ceef05a22ad63a6618ffdc470b1faf4ad9e2d7bab59e9285527b9c5fd7ea4be673a08b9466434e3c098e839bf6955597e3d8aa0e80589f4a3

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\footer.ejs

MD5 d6c4aec009f8a181f5f805169cbad491
SHA1 7a7263138772c78c8c4330a2ed6cfbd3092c8985
SHA256 a2da2ca46128fdf7530a27ab8345986278cda1b78d7a075ec0fb11b66474fa8d
SHA512 d0a2d60113cdce329303f9657b741317e2f5b691d248fa2131b6668e07e7db9a5292ab734456681f335b71c732e003009631113cf14f218e13aaad7d4e8bb4d7

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\logs.ejs

MD5 6fc7c3d8bac3259202cb981acf8b18b6
SHA1 f3963b01f9a2df4e9b0b989b4e7ea8f55198ddfa
SHA256 62e112e61b5c9c582f5a9aac790a9275be8a560d1edb93c3a6879330298e53fc
SHA512 7d719b9698344ba99d3d860e28421bc7cfaf2e9d80cfc6da472413800900aa64f055add8269553e9838aa998df4d6575c6bf0091cf6263a6ea0c2537c36b5df0

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\ads.ejs

MD5 ee4146fab6611d7ba9d24e71d9b6363a
SHA1 0e0601beae6e65511660740b79fd18381601ba21
SHA256 213b9c67599b6c11cab64d5c9c2606eea16dafaceb028e93a5b9d4ad6c5c33b4
SHA512 9412dd10b99d79c10ba39e6e3fa027684b19f90361a65b25ebca1b9ccfc437fb303713ebf7e7be6906a4383302425c09a5cb3d0f446929f8d84ff8c462796fab

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\path.ejs

MD5 21e1d48f90eb1017539741c7a74cf059
SHA1 7906534922134e26a5c59324aafad63e20bf10ba
SHA256 870496c864624ebce9da0b98ea830249897a2a2317f6a816751f0edb30aeb32b
SHA512 2cd3d44337c5e1b794a2233d25fef122a97910d7f7d32cb811c0fa3f84397dd4781e917ba3db0e024384439413925dd0ab73888d3d82119951b86192e807685b

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\install-options.ejs

MD5 877f16609a32c46ff5f8eab3648b1078
SHA1 5a3d5785704f016235b96fdbe04a9de69b48e203
SHA256 f8981d7e2001efe11511d6779675bcbead2fa27d6557a54dcb8492ea958a1454
SHA512 c6df43c91537d13d75e1b2e1b35fc2b452f7d62326f0074c24e975e18a47d31bade8a9e84514091bd537b8cb016c60e87920249cee73370188be045c628a30b0

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\eula.ejs

MD5 0887c927cc2ba0250bea889fd5d40660
SHA1 8ae1b01d3c501a15cfeade573a13b93c44ae34d5
SHA256 df0dc42c4ec4e3dbed33e6fd855e977f3bfb4cc2a49a8402ead53bfb9f544d6e
SHA512 01dd4c0e622e95adc652fd06c8503864506cae7466d4114bd11938f69a5b97065ecedf2a9d516d485abaa33fc3442bcd9de46f6a00b0979c11b05951bf2183db

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\language.ejs

MD5 3fbf51eb59e0f0b050f5abcd2fcd3dca
SHA1 90d676bc914c2bebf33464dd088952abbedd56f3
SHA256 9016b2792ecdd22276e1d1e4172b4e598478f5668b27beb005e2219d229f216c
SHA512 c5e04500ebdd922d989594e3a0822fa9a9557d749e60af86ab1e309847342431a606f5e604538fa5d5666535bc68c4f5fbeeb4cdda9a832384505aac1ba2d998

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\header.ejs

MD5 eef60d35e9f75d3c7030d0574250e56f
SHA1 6d29148b90187fa1583652bc8799e65efa10f637
SHA256 3cf434b126e4369ffb8e9f4d489daee1aad9f47828850386984b3c752cdc7042
SHA512 529bf36dacd2fc808e63a8091a8aa92f5d3d39c23077bc72298bf052f1bdcd6fc05282608ce5337643d3c1a794bdde2b8d364f7deb0c4b7ae75810be3bdb165b

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\icon.ico

MD5 372b8e595552272d8980d7ce68a22a45
SHA1 3458abecc3172f86c0a42f889402a700964a7bdc
SHA256 9a6b51f26c9efb993a02f67582477d9b524b029af5d6b1bea046840012dc110e
SHA512 bb712405ea0c0ec66add82abd04ca8f32e07bea7e4bbdcb2bce53a16caf8d9bf2a514ec8e647739e739f995931fc6d04d155e8b2f381fb93765024a4aebc1fa4

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\js\index.js

MD5 a43acb5bbde4eec35fa3992eca3a0fe5
SHA1 5df08727880475be34beabb49c80d04a1638ab07
SHA256 3c53963dae15a539bf383875155233cc4c1a069e5ba7c13937699c992b8a2701
SHA512 588412abff1307a4733bc5b0795ad1098791898e2329955a5db551bf51ad754382f16a0a6dd57717f135b0e9c334e4cc8b678353302d4960137462b24a919350

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\images\flags\fr.png

MD5 d03e36af77543804318d6a5e220724ea
SHA1 58f8df12d68e055019dce59a93afe17207d68bd8
SHA256 9914c4861965f03acbbc077509a8dbe76471a4b3c26eb3932427f9972236edb5
SHA512 8b10141b6411d05c4f7f7a1e3139fb0e7a8223c470b5f6a2ab84e07c482d39a56820b3e3a867263321744e2d5272bf9fabc81bde61fbb7e79e2ef31a37cacc12

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\images\flags\pt.png

MD5 188d843e650bbcb429950217dfc0131f
SHA1 ec3a3cbab918dc69f797f96b718fc22e398771b0
SHA256 60d97aeb01ec6481d1c9f5be24082655c880a4ec947e42713168e3c36d6015b6
SHA512 8b8aa9535194304633d229161377c73e0b13fb757a2661620a4ebb33d0bf6bc7d56fe2456a062e7ef9f6224fc2aabeaad9d472b83c96f2643e4e44b9e46015ea

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\images\flags\en.png

MD5 c2de03c4d117d87763d4e1e5e28482db
SHA1 bfbecbfba4c5a871894c6784da913fa495a2aa3b
SHA256 e423db68a40835ac299155e365864461e37115a96f996091d5af026103d753e2
SHA512 628f47a91c2605a66dda06430f26d8685384136c0d04bc3146dd033462ef7def71c7d9ddd43cf3d07e892a400d089faed938a91317a94fce4febfd01183e1301

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\images\flags\es.png

MD5 ff0df90a5a69c16ef24fab173a89ee4f
SHA1 02b14de1912f54b2b0630346c2cfe75a8da6d5b9
SHA256 c79f2cdfee1e6666b8180b7ee33d1f06bcffb113e602e8ec47b668d4db4f18d9
SHA512 4387449064aada45fba5e933304c5f931c29187acc025d291f1a758c6b2453085faa42693b2395fb08829b62187577988149514e133c2d4c58d6a2ed851f7ccc

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\css\index.css

MD5 3eaee883756164643699708fccb2c5ca
SHA1 d1afc0d030427a4be6e5f1d25ad5904503f527ef
SHA256 400743c30d1cb641da64e1bb44166d07850908e40e2103cda0e6010a3eaf4922
SHA512 3bbea7306e3fe1f6d20e5335b05ad25316236820255782fe8be10dcac1df0e45ed892e52f3f789895e7f811859f38538fa7a612d4e57748fc43100f34c8b257a

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\images\flags\it.png

MD5 b9673fed0ded2c7a6a3e2572b60ebb5c
SHA1 b4c6de948d9d7fb396dee563804fb161dc541cbe
SHA256 7ed6102d8a617b6cc2f7fe101ce130b037bf4fe7cc41deb011430f8def81b14a
SHA512 0f5965e93a08ea0a4f2a38de0e9f4accef71dea85d56f07c771ca62a966ab2049d611b1749544343e4389cea203137cb037fa2b7bd420087acfd3ddec2fc52f8

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\images\flags\de.png

MD5 0c730750c8a99bc30cf20b83d235aea6
SHA1 8ea6cd3bbdaae43607b4882560c4e04ef8eeaf8d
SHA256 b9d2aced61236662459e3acaaeaf44ce7af28405847c9a54d42fa4ae344f045f
SHA512 2fc3251378520052892b529b8c3638cbc3dd9c4ac471dc20382930c103c886826f05969400d7d1054b066cc81d00813ba86532b20be646aa8910efec9dfc6c23

C:\Users\Admin\AppData\Local\Temp\2fejptRVqtuxOlbo01siOY8OCTG\resources\app\src\assets\images\background.png

MD5 54d3046d693ef7dc0e06a32ff629e7a1
SHA1 1d14c54f2db92c94e467dc3b3f6480fe737ed830
SHA256 62a7ec1cb750aa28bcfdc93cebf1521f8cdc352992938652527aacb79618e57c
SHA512 b4e123d3bf4b21bdb1c73ab9374bad0e1090e5cfd0b758bebfd907d4f3736c9f4e87e73e693a85eed66bd0e1eee85fbcf1a152eeb83ea6f317e85022d67fca3d

C:\Users\Admin\AppData\Roaming\Battly Launcher Installer\Network\Network Persistent State~RFe589a57.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\Battly Launcher Installer\Network\Network Persistent State

MD5 2aae6b368d84bf31cc74f908953fbb63
SHA1 c5f459a739a3143b70baefabf4595408843d45bc
SHA256 19c16cb19095d79bfd12feba6bec8177fc2f6eaeb7fa05d6f183a8304a0b1aeb
SHA512 cbd7c5c4e37299266793f702e7e8968c7e7037816427af59d554c236e38b98ccc928e727095c5607ebf72d40578717e2061f2dbfe99d65aa958e53b65be3c9ea

memory/1544-538-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-540-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-539-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-550-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-549-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-548-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-547-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-546-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-545-0x0000016508950000-0x0000016508951000-memory.dmp

memory/1544-544-0x0000016508950000-0x0000016508951000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\license

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\license

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

175s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\package.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.213.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20231129-en

Max time kernel

117s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-convert\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-convert\package.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-convert\package.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-convert\package.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 48fc6b42bf841e86b5826c49cb0ce3e6
SHA1 a0bb470938169345d9bdadff9f46bddc4e38678e
SHA256 d90304508e6ea1c5c330f25530a46fdbd5e94cc3f9d2988598777663d711ec0e
SHA512 182abb2d9fe41fe108b2af28d66bd43ed0f91086e97acf4f7bac22d536912b6052858df496937aeb8904fb47017ea96d534ca43dfbab46e793ad585cb296aaa0

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

161s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\package.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240221-en

Max time kernel

119s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\package.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\package.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\balanced-match\package.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 47d7e1174fa5da5fe01d7c0f70b66484
SHA1 66f8ea2a0973ddf9fc377fb75401c2f330814b06
SHA256 331100ec13e34c6fdc1056e20c4912c8e4194e6567fbc78aded2ec3c486bcd36
SHA512 62953029f34957c01e098115ded9a3e5d1af74f34aba47d44a2d26735804929c59da19f5a58159e70009b50eb58393fb0ebfd96a1c230f963d0be331545e9894

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win7-20240215-en

Max time kernel

122s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\package.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\package.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\package.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 90855da15d86f018fda8ba2176d3ce91
SHA1 b06a77db48cc925e9a177226e5d4ef4174c0cdec
SHA256 4e6f84ef00deb7a2f9568981ef8449e51658bf219b793b608b53cc14912ec2bc
SHA512 e515aec4b99541f746de570625536558b9f94c6e1f5200c92eb9d8dcc856f548316202008d7f18747b3a08bd902d9524cae647669e50babf40d6a2c1e893bbc0

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\package.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\brace-expansion\package.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\license

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\supports-color\license

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-02 22:24

Reported

2024-06-02 22:31

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\color-name\LICENSE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A