Analysis Overview
SHA256
2def636e2d18041f6a4e77c3935ef0633c7639e55d8e691d7fc7ff8ea4ae1fd5
Threat Level: Shows suspicious behavior
The file Buff Achievement Tracker - Installer.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Checks computer location settings
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-07 16:59
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\utils\analytics.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\utils\utils.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\cri\cri-controller.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
123s
Max time network
125s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622532830472825" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\cmp.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaecab58,0x7ffcaaecab68,0x7ffcaaecab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4712 --field-trial-handle=1928,i,15424900266118247799,3783619391359539932,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| RO | 54.192.235.124:443 | content.overwolf.com | tcp |
| RO | 54.192.235.124:443 | content.overwolf.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.235.192.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.195:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | beacons5.gvt3.com | udp |
| US | 192.178.49.195:443 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.163:443 | beacons5.gvt3.com | tcp |
| US | 8.8.8.8:53 | 195.49.178.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.49.178.192.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1124_PVSXMDFGFJJYFCSP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e69627921fc3bf07f0bffe93924674bc |
| SHA1 | 566f6b4dc72c2d641b5ce9a5bf59c63c30f05e94 |
| SHA256 | f061f033a1e3214e08b97604dc355941b5777964d164f4f6ae69bdb3f6fd8c48 |
| SHA512 | c20b60739da157848540fed6949c34838c0a30f3dba1becd786452536fac2c8747ed5c434fd2773acadd22072502195fa8326272413e8e155bed077dda2c2db2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6dc3aa706c2ea3bd616f105ddee40c11 |
| SHA1 | 9d15c0c740ac85b469d956d066b4ad82be431e30 |
| SHA256 | c2db49f8dfb757ba8a368070d33272fcb5ccb0d5cf0fdc19e3e5581753d9a27e |
| SHA512 | a7778ca9e087dcb68bfc926a007f0c9d8658667bf768e00c27b071ce1af0e1397888927b7db5b4115a87f33401160e6c47e678b2dfd682d33df52736715f10cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ecd9dde6d1fe9f20f6c18e8e2c23c788 |
| SHA1 | e9ef0a3822aec30942ab07e2df049d18c6b6d281 |
| SHA256 | fa8942215685ee613d7ec242860635dd8193f39590abaf0fb410450e960363e6 |
| SHA512 | b7955845c92073710307949b93ab258b6624abb71b647e3222665a6899cc6adb614178979e2563c60338a7e810301ad8e6f6dec52df2fc91878b4be967b4a063 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3e00fd2799a44b0f751f478f9e4a1113 |
| SHA1 | cc97492f805410501468fec31079b51e1c1d2706 |
| SHA256 | 375a6980e881963bc4d0a379cc576091eddbbf4641abea6005a72bd7140ea0dd |
| SHA512 | 704460a7b2da97932700bf5218e9e5d1a2ad495738ecf136a4b736bf8725d07a6841c2e80fc4517b6b07d2fa2c2c78d778fab101dc842082c06d94cba0cd67b6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 43670f38bba430eba8761b2128376e89 |
| SHA1 | d153e8927cfc4dd4ca668a0a52a4a92d15277cd6 |
| SHA256 | 156cfb44f473af08157cbbfbf4d1200ef9677c206de5cc977a9fea955766415d |
| SHA512 | 3dc577cf003d4ba45de83df5524eb18016de6b40d06081aa03e2ed59283012d8d6baadc4cce3895ab4ecff9237aed968dc9b487ff6cc94cbc2709421c025c103 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d060.TMP
| MD5 | 37cd7692209b36353bf280ca2cb2b592 |
| SHA1 | b6bf56a52349990aba497b61f72c2813025edfd2 |
| SHA256 | d9e69fc69b934a8e9e9fe16b7dc1acf6869ae06c1bd829421c7e87256e429ecb |
| SHA512 | 8cd67899995174852f6346e9d89017c86f08aca5918e6501c838f15b55428546a8e3f94329038316aa79ff998a644ef2b095d4547e3f272105733a3ca465d7ad |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 6703ecb12afb75851ff5bf7867b149ab |
| SHA1 | 8b6f9a9912554b14369b0e601cefb129c258e12f |
| SHA256 | c708ec75be995e28e4e67107a5a4929cb61189392c6b0f5dc24fba6d73851eff |
| SHA512 | 85ac37eb6962b705940881f1a6743d3f32d47fc402c461037a7346f74fb1409364dfe6c27dc4e62648c9884da43dc3756b098c62ccd42f35df3dff4a2ed70f20 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 66f99be60515f62f309fd6422f062461 |
| SHA1 | b898b6b0a9a388666062f0f1c3002bbbd1c1361d |
| SHA256 | 397aca146e9d8619322e74e12f867c338306e6870cac98d7bbad20410d31839f |
| SHA512 | a9646ea65d19561004b33665afbed7f03bd3c01f9bd18b6e8e4d98e9d9c7adcf7db9e0dc4426f325ebdb516ba22c23422efa6fc17433f472e0782ff1c5eab0cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | e6c897330a5391f4d2c62f8f3f4935b0 |
| SHA1 | 654151f945a42bb9a51abfb3008d204e54c83ffa |
| SHA256 | 8935a2d0f4bc685c98b5aa536c4d9dd9a5994fd075fef060845d2b03b98d744d |
| SHA512 | b03e0c0aca150eb32c29f82ce0792a4a5089be9fafb62dff02b97161ea393b5330fc42b5541609a4100b00966a14b8c5e2d780e7d3811844afd2aa41272576ab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ab00e9e0d2af71b4b3c43009e39fd375 |
| SHA1 | 644289ff9b7eefb15783655188ed9d30d488cb03 |
| SHA256 | 5cfcd657bd35b4339ca0bf0098564c748e9f13343d1ba3dc366903319073d7fc |
| SHA512 | 480efdc5b30127a5479a027ce30447fea67b76e5883e3a8d2bd0dff0b547ac8ec29617dfaa4c0e2fafc7f4cfb8eb641f4bf2286ab7b599d69a90738ac0d69082 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\block_inputs.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:02
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\utils\commands.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\main\template.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\welcome\template.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\welcome\welcome-controller.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
159s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\models\notifications.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\main\main-controller.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\settings\settings-controller.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:02
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\utils\modal-events-delegate.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:02
Platform
win10v2004-20240508-en
Max time kernel
67s
Max time network
69s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF | C:\Windows\System32\DxDiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF | C:\Windows\System32\DxDiag.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll" | C:\Windows\System32\DxDiag.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\DxDiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\DxDiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\DxDiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\DxDiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\DxDiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\DxDiag.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{FC98E22C-AC38-46A8-8D12-9DE6C08F7237} | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll" | C:\Windows\System32\DxDiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 | C:\Windows\System32\DxDiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" | C:\Windows\System32\DxDiag.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Windows\System32\DxDiag.exe | N/A |
| N/A | N/A | C:\Windows\System32\DxDiag.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | N/A |
| N/A | N/A | C:\Windows\System32\DxDiag.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2968 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\Buff Achievement Tracker - Installer.exe | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe |
| PID 2968 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\Buff Achievement Tracker - Installer.exe | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe |
| PID 220 wrote to memory of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | C:\Windows\System32\DxDiag.exe |
| PID 220 wrote to memory of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe | C:\Windows\System32\DxDiag.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Buff Achievement Tracker - Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Buff Achievement Tracker - Installer.exe"
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe" Sel=1&Partner=3762&Extension=caboggillkkpgkiokbjmgldfkedbfnpkgadakcdl&Name=Buff%20Achievement%20Tracker&Thanks=https%3A%2F%2Fbuff.game%2Fthank-you-page%2F&UtmSource=google&UtmMedium=cpc&UtmCampaign=21318816400&UtmTerm=ytv&UtmContent=Buff_AW__EAIaIQobChMIuvmPyvnJhgMV9OLnAx3IPwTSEAEYASAAEgKZv_D_BwE&Browser=other -partnerCustomizationLevel 0 --app-name="Buff" -exepath C:\Users\Admin\AppData\Local\Temp\Buff Achievement Tracker - Installer.exe
C:\Windows\System32\DxDiag.exe
"C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analyticsnew.overwolf.com | udp |
| RO | 54.192.235.36:80 | analyticsnew.overwolf.com | tcp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.235.192.54.in-addr.arpa | udp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| RO | 54.192.235.36:443 | analyticsnew.overwolf.com | tcp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\UserInfo.dll
| MD5 | 9301577ff4d229347fe33259b43ef3b2 |
| SHA1 | 5e39eb4f99920005a4b2303c8089d77f589c133d |
| SHA256 | 090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc |
| SHA512 | 77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\System.dll
| MD5 | 7399323923e3946fe9140132ac388132 |
| SHA1 | 728257d06c452449b1241769b459f091aabcffc5 |
| SHA256 | 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3 |
| SHA512 | d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\uac.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\utils.dll
| MD5 | aad3f2ecc74ddf65e84dcb62cf6a77cd |
| SHA1 | 1e153e0f4d7258cae75847dba32d0321864cf089 |
| SHA256 | 1cc004fcce92824fa27565b31299b532733c976671ac6cf5dbd1e0465c0e47e8 |
| SHA512 | 8e44b86c92c890d303448e25f091f1864946126343ee4665440de0dbeed1c89ff05e4f3f47d530781aa4db4a0d805b41899b57706b8eddfc95cfa64c073c26e2 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\INetC.dll
| MD5 | 640bff73a5f8e37b202d911e4749b2e9 |
| SHA1 | 9588dd7561ab7de3bca392b084bec91f3521c879 |
| SHA256 | c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502 |
| SHA512 | 39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWInstaller.exe
| MD5 | dea5d92def5ac3f55361bd1f44f0503a |
| SHA1 | 8c3426ef7e29cdb43dcb6ee478ef39831a0af6bf |
| SHA256 | 21b6b7dadf2378430ae17574a83d2a028e68a1027a7576f52f7adefdc2c0a324 |
| SHA512 | ec63e20b50fa090a58bd90ef3a8f4f9d1afb1a93286dd6740219d33c6cb4d62c0fb44579bcb93bf2b5ca34f2bfff11b42f4b45fcb0deb9314ba5d5bcd6e6cc0f |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OWinstaller.exe.config
| MD5 | 82d22e4e19e27e306317513b9bfa70ff |
| SHA1 | ff3c7dd06b7fff9c12b1beaf0ca32517710ac161 |
| SHA256 | 272e4c5364193e73633caa3793e07509a349b79314ea01808b24fdb12c51b827 |
| SHA512 | b0fb708f6bcab923f5b381b7f03b3220793eff69559e895d7cf0e33781358ec2159f9c8276bf8ba81302feda8721327d43607868de5caaa9015d7bb82060a0b9 |
memory/220-134-0x00007FF8597D3000-0x00007FF8597D5000-memory.dmp
memory/220-135-0x000001B4CD720000-0x000001B4CD76C000-memory.dmp
memory/220-139-0x000001B4E7C90000-0x000001B4E7D34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\OverWolf.Client.CommonUtils.dll
| MD5 | 6a45b1f51b619ba08761fc91567bf0a7 |
| SHA1 | 4c29b1915dbc859ec462d13bfca7f77a9985133c |
| SHA256 | 4ad3ecd0591f8dad217d5d99e11d809cc699c28f55296845148254f6fce69828 |
| SHA512 | 8fd3c507338bee22af8a74922e1deb28e928734f208cea667bd12e434ec23636c77ccc4d33e9d7c9fefb87715dbe6dfaf75011c3a01619a5050656aad85a3419 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\CommandLine.dll
| MD5 | 1d859391711a062c5f48212686505a6a |
| SHA1 | 06db312b20ebfd24e1dd1f729d8ee8dba761c8f6 |
| SHA256 | cee8683c16cc43a542cfa1490894f555857eaf031fcdfb1ed7059e1538e21c8a |
| SHA512 | 340224199c171c3d5b9f06d4a9e6159bc7dab79a58324cffbe7f86857b1eef49e5f9d022b4ec907f9475aba334029ccdf06b8b05ec67b197a9c15809cd8ff7a3 |
memory/220-141-0x000001B4CDB30000-0x000001B4CDB44000-memory.dmp
memory/220-142-0x000001B4E8270000-0x000001B4E8798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\log4net.dll
| MD5 | f15c8a9e2876568b3910189b2d493706 |
| SHA1 | 32634db97e7c1705286cb1ac5ce20bc4e0ec17af |
| SHA256 | ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309 |
| SHA512 | 805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e |
memory/220-144-0x000001B4E7B50000-0x000001B4E7B96000-memory.dmp
memory/220-145-0x00007FF8597D0000-0x00007FF85A291000-memory.dmp
memory/220-149-0x000001B4E7BE0000-0x000001B4E7BF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\SharpRaven.dll
| MD5 | 8f6ff3176e7f0b58b033b3d3f1303db3 |
| SHA1 | dc21231170a74f459e45d81fa7dba15e0c6fe2c9 |
| SHA256 | 0ea20361a01f8fc8eab21ab5613e77d36a3506793d4487438c314daf86e90630 |
| SHA512 | a0a3b3548983d15936b8517c2b5d5fa624b902522ab067ad552bedbd361c3192fc2cae889da0f8c986cfd295cccbbaa91596f478154c42f1a1cafbbc7eff86b1 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\Newtonsoft.Json.dll
| MD5 | 98cbb64f074dc600b23a2ee1a0f46448 |
| SHA1 | c5e5ec666eeb51ec15d69d27685fe50148893e34 |
| SHA256 | 7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13 |
| SHA512 | eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147 |
memory/220-158-0x000001B4E9100000-0x000001B4E91B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\manifest.json
| MD5 | b8e8d71fa7a9474c7875284925aaed4e |
| SHA1 | 0622eaee0daa6f3e36beb71e7a5c8f622ce2870e |
| SHA256 | 949d178dd878e2e5b5fc71a457503f139f052c54947f233a124ce1a0a6e7fb22 |
| SHA512 | 4ab844d7e120b12600e0600c6b7b948a27e02cec4171ec757da0f2e526318cc627c0d2be1ddf375b2cf3483addb2348305ae0fc8bceb6a527ba92beee20a5d50 |
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml
| MD5 | d7e1a61f97c32d174737e2fe4c68352a |
| SHA1 | 01621e7ae1d6a2081561a5461400f1000303b344 |
| SHA256 | f21e43eaa09cc68903a3b701bb1c174219386bedee562e04d56256a7a95a3228 |
| SHA512 | c8e950e4c3ad94a677a129db83212c9a27d2012f73d34ed0fcc691269892ac10a37fe630259237064adb977eea1c4a00a5d76f64ae479633df1696601fdf1669 |
memory/220-185-0x000001B4E92F0000-0x000001B4E9312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\images\icon.ico
| MD5 | 51e75bda8d67975d112b9e3676cfee94 |
| SHA1 | 681691af738cd40573219a5cb53f0e898f8f81a9 |
| SHA256 | 2d57121ff4e34cf983bc91b41fdb974883b41efe213bb149e3e81d7d4d10d41e |
| SHA512 | 405a4d29e081ff0bffa081ae4f527ebf9c850fcebca9f1a75af05077289bbdb0dd34d1636734b456767df71e06c7d23ac5d5dd364d2f57e970f72aa476088195 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\index.html
| MD5 | c7b752acf6d1e10f3aca2c67b1ccf4d3 |
| SHA1 | ab793cb43e0c2b5af0fdcbf90d0d29d5d3e164f7 |
| SHA256 | 69b9f99f6611f953d94984ac35bdaf9e9817f689e1e3614976bebe3465c613fc |
| SHA512 | 120addd79b7ade4f35b426c02631c8167d81080fde30a01b989453113f7547784e525d53bede41ede0c9b3caca8513060753ba51f75bf6936d32ee597d642576 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\libs\jquery-1.10.2.min.js
| MD5 | 44e3f0db3e4ab6fedc5758c05cf27591 |
| SHA1 | 2d408aa1d35661019c95adcc60b78c0727ed25b4 |
| SHA256 | bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144 |
| SHA512 | 4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\libs\cmp.bundle.js
| MD5 | 1de143ca1babd3c02744f478c8c05c5f |
| SHA1 | ac918b3d2d5f9cbd9e3b3f5e075ce3c96eec16b3 |
| SHA256 | 7fbc3a088ec303143109e0c1b2c04f4c5a6e450a2d6f3071fefb66e92f643ea0 |
| SHA512 | 6e419e11f35a3258124127970961907ed8fe0619f618a4c15542ee7f8a01a9f4a7af4d290b634444d21b823ca1afea65f97d5788fff6665d55c2231214edff24 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\block_inputs.js
| MD5 | b5b52c92b90f4283a761cb8a40860c75 |
| SHA1 | 7212e7e566795017e179e7b9c9bf223b0cdb9ec2 |
| SHA256 | f8dbd6793b35f7a26806f4dabad157aaafdf6d66fad094b50c77d60f223fd544 |
| SHA512 | 16ad53ede5424ca1384e3caea25225589e9eec9e80e2d845948802db90fad222f709a7b651cd7601a34ba67a0627433f25764638fd542cbd4612871308e7b353 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\utils\strings-loader.js
| MD5 | 9c94eb933d8a43dd3825e67a7e30c980 |
| SHA1 | 7ec7b16af6f399219209ba5967d377040486a11b |
| SHA256 | 96445709fde2613af50f4b8908296d4bfccdccb2d9db9febc34a9bf4dcc70ecf |
| SHA512 | a662a299e31633f71a9b9675970359430fdac06dcc284fd7ce92919f244c7f921639f97a42356e993a95865e6c9f198dcba82c126f82065bf2009a31ec9b02f5 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\utils\utils.js
| MD5 | a0952ebeab701c05c75710c33d725e7e |
| SHA1 | 1da8a2e889f1213d481ae3cd5571670c01e64adc |
| SHA256 | b4f0c48cbfeaf8141fd44b12031e3f0410cb0cdc313888ffdb14fdf1d2341246 |
| SHA512 | 5e5ae616d3fded7d2bf47a326242c4477ca3119fb52897bfb41de0be230ccbd6c3da2c00268b3973e9bf7b4f2886aba64fd9719b448662e4130ee66d87913389 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\utils\analytics.js
| MD5 | 525281e9959af4c1c0d11b9243c798a1 |
| SHA1 | 237a84c5b57bd132f48446d718b20640cb28c263 |
| SHA256 | c37f0699cf8ba7d9e3e0f73f1b2af65f4bdc2a31f44594ffc8c73e98b6c2fd1d |
| SHA512 | fe5bafda7773e69c65dd63270e0306abcd39cb2d886b675ab8c714ae0833efde963b69623d468551a1ab37f1db1a1d457f1568f7a29d9cf0bb23bb0edcab5fc4 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\utils\commands.js
| MD5 | 65015f2e2e490f6786abc0560e33e1d0 |
| SHA1 | 47b5c2b3b1f9381e4d2b9d1f3d82ba62828ce28e |
| SHA256 | e874c959c7b8e4351d730d263231df7176b5062580a7d3e0a2684001b510f5d7 |
| SHA512 | a4ad579acfa6000fd8074893a6b45df74558c57afd5b957217491784fa25df370c59d9f92ff245abbdf3d26b42114cc22359ef95c4baa322e326c7e210f43edf |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\finish-with-recommended-app\finish-with-recommended-app-controller.js
| MD5 | eb6d6bd7e05d4477e2704dd87b57ca35 |
| SHA1 | f42672ec1e23a3f4bcc2952746d87ba8deff44be |
| SHA256 | 5ca97132a258ed1f36e401d70ccb95be2c9e18395e6010c40f61172914477de5 |
| SHA512 | 1402d611f910cf5078e804175fa4693b591348d3e7cf6d0a6bbe026c259eb9e0bc285233c80cb2f4690674c3e927bc72fbdcbe758826b98fd02ecb3ed82e339a |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\app.js
| MD5 | f718bd3f18dd499612623852cd2a2135 |
| SHA1 | 9432b7898f655fbbd8132f4b3f8822959ae3ff97 |
| SHA256 | a14fcaf11a16ad7d904960538ca35d5b05e1c1b6a916f228db6b319c6195acbb |
| SHA512 | 90a697f93f239e8210ad47b6f012d3b40ea9c23a92ab909434d0e2d71bc3d9663d1aa73c64646e3dbf417f9636d1190b3d0cf20d349456dee6b6b8d5536d0338 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\main\main-controller.js
| MD5 | 15b665a5c915004e1aa7e9e11a710f7e |
| SHA1 | 7821924e42bb19d60c572ff80bbaaa04d7aaeefb |
| SHA256 | 84dc33e2eb3118fc77a38b0ca53af42c53f6eb85cfb1e8737dbe39fa03515653 |
| SHA512 | dd47f7bac0dbaac714e6d2fc91b4c24756ca4acb70bdbc4b54cd5216552d6bb85ba2e1c3c8445c5fb40d116dfab6569945cd74730bb7c8f3cf46e8d08f8afa02 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\main\template.js
| MD5 | a118c7724c208f12083240cafccfd10b |
| SHA1 | f89c676a215b869626737862a08c9eb07d440211 |
| SHA256 | 63a43bb08403972d0f4b0e381bd264af14e826e0035242bc1baa9a815956b8fc |
| SHA512 | 9fede79044ae5de7baf5bfba0d5a515ce462a25420026ff45bcf1751e57510023cb40df42d08e880114f62b38ddb218355d5357b725df32a41ae4e6a18414cb3 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\finish-with-recommended-app\template.js
| MD5 | d1cb34b57cef7e28b9286454b197b712 |
| SHA1 | f3a964b319bab82d4eda07e126bbfd6dec35c349 |
| SHA256 | b61dfc304b46e8cd95d7b15bb93c6160b30523a1a093397a84fc8b8bed00ac42 |
| SHA512 | 3a07de9c58134edbb7998f85e6d037a0cd066e32c4daa07594a949a7574f5693153bbcdb59739e1a92e847ab1128e2369fb30ba76a7b9cdfa9a37a409db691c1 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\finish\finish-controller.js
| MD5 | 138240ea22084428e9e25583e9156568 |
| SHA1 | e8bef7eab5b6e7040b996ec9504436e073444bd9 |
| SHA256 | 4cb4e1aa25c15ae5f2e63fa4658a8acff0ce63e0f59cb6eb634df2dfe336e2ec |
| SHA512 | e97b81b0ecd964e6e909019353efe4f5582f65763ac4197d754f1c4eea19cfc249900ae597fd33e29f531bb0d1c7e0f010793c59a2b0099fa75ad0b7d01ce8a7 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\finish\template.js
| MD5 | f092de7ea66d8e920b345f38537fa35d |
| SHA1 | 82d107a409f18878307ae0cefe24074db64937c4 |
| SHA256 | b05f111369e12ecb4cdc6526dd554061eb31097aa0de4bd126ddc185b69d922f |
| SHA512 | 14942c0122f216c07595cbaae498f9c4d37a2d0fd95f262c332502befdf4566c7a042c4d85702c1d82a111123dde677096195e9efeb1d74eb1dfd4df84d01a23 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\progress\progress-1-controller.js
| MD5 | 82f0b997ed552c52a510a9f2ab29dc3a |
| SHA1 | 92aec3a656053c71eccdde610130f5d8008fa96f |
| SHA256 | 838bab990ce38372dfedb50eb0a270db705811729630ab8557c08bd1e9e8e105 |
| SHA512 | ecf67f877002d746eff8af3a50155aa381513ddafd17b6bff0188c85f0765579fea0112e82e1371f962b1f5decc94b65e6120f21fb516533dac35a2d541065bf |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\progress\template.js
| MD5 | 92b145e6649ba0add3dee9a69d3fa91e |
| SHA1 | 4db1a45392ec973cc8a7eecf3a30a9a7ecc7a64d |
| SHA256 | a7128a08bca53dd919cab3e5cb4dab31ded7ae2dafc957209b9fdd23f3b944ab |
| SHA512 | 747a087dffdba5c92d9f4c8923615d388b9c4c79d3b71d3cb90487aa37c132290a4f5107eef3055c03eadcb9614e20d4655393dc9251fab7e0ee2438f0d95751 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\privacy\privacy-controller.js
| MD5 | 15bbec339f5046f525e3aa96d36c30ec |
| SHA1 | f73d40bf06584737fe327f1eec6f4b0446545226 |
| SHA256 | 14d9c60cd97f18e74fee2dd80b6a190eaccc526085991f356feb6b4d330a0fc3 |
| SHA512 | 2b0edfd2d5efb3f739e56eb6f3bcfae4789af3e1639f5f8e5f7530f5af10eb1a61464d665c9d9b2f4eb3796f2445108599d8bea75f1709aa562feebee519da4e |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\privacy\template.js
| MD5 | cf8d2c26520d7c84e560dfa79e31dcd3 |
| SHA1 | 716f2ec17480d5cc9c145bc147833fbfc39d36f0 |
| SHA256 | 95c459eae0edccdb94702aea603a097e461daa0e5f37dcd0e30de7df665433a8 |
| SHA512 | d466dcf7e86a4295857020feea281fc89f519f6bf1e79c3b5e1046d0745c9c9010377b1941e06c9a9b2c78a4173ed9909332d5d6c39b05f460e8a863086c895b |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\settings\settings-controller.js
| MD5 | 378c18dd7d5cee6ca7c4ddd0396b535b |
| SHA1 | d5f81d4fab29201fd1629dc4d8e6f918c0c30479 |
| SHA256 | b5c5dc5e0684fd97eb4c45896dc1c2de8a6a6fdc63b6aa83a99103c15787ef35 |
| SHA512 | c29416b3f0245f4826d857dc8c52c969071d2410c945bda96f38f59a9bc7137ee534d84865e5ac55a1e3cea6bb705c5d592725af709cd97e7f38ff05dbaafe5b |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\settings\template.js
| MD5 | 28513de0830383a516028e4a6e7585a0 |
| SHA1 | d31fc3a6f4a3ce6c4afb82ff2342a1ed718809e5 |
| SHA256 | 8014a7c919da249ba2f2196d9c9b62639d20851be426f3ffaef161cbe477c45f |
| SHA512 | 0f7321c2ae13145bb694368dae1b74e6fe20e6b09712da2178bc46e6aa65223ab84c38abbf0ed074c85b42dba1a238a5f3f8d1ae060a0af6df748c5befe11b61 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\welcome\welcome-controller.js
| MD5 | 50f676754862a2ab47a582dd4d79ecf3 |
| SHA1 | 1cb2f4b11f9f8cfc8dc57ff29d0256dec4811158 |
| SHA256 | 6155691dbdd66290109afb91617f9cf68af6bd912991d5d27b922f5faa7f530b |
| SHA512 | ccfc89e08fd36f0a694fcda17efb84ca285b6c62afe2e3a794fdad19b6882a4b618645f4d9171673ba56fb4c55fce336d6b8d26dec3a5cc11293ae2b211f499f |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\welcome\template.js
| MD5 | 17f54fca6723b983875d940d931e0afb |
| SHA1 | 01774cd5cea36bd74c80a708d6f77567e8091024 |
| SHA256 | 42c546e9da748ef76fdab56b96fd511eb607617a9ba37b3dc420148b769d8acb |
| SHA512 | 401df9a54cd14c19227d91bd08b4775a7b437644b4ca0d1d636d3e07b04591f9c5516e80040ae6a79ba400457d15e3d80aa148a63de870a64664fc5a02f7a038 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\cri\cri-controller.js
| MD5 | 4e4b4a9e2d86ae3c108105078db6d730 |
| SHA1 | 826946be793c999316af6c1db10523950b18ea2c |
| SHA256 | cee7fc5a36a01a439125be031923d7e7415ec56194255048098169a0108034b7 |
| SHA512 | 1420065cd000ce9b9c39d27b5dc5f4055f67146e06573a03184649851c9745f0c0af2b5e35b41b5923703dd74e32f9ed95fc59a43db25f854584e319950beffe |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\cri\template.js
| MD5 | 76c1ef0cb437db144c2bed53a5a8a5d7 |
| SHA1 | aaab8fff649f8e46d1e9510018118ee9abe01498 |
| SHA256 | 505d3c4de7d9cf8f0155b5b1a3c8792bc0ca2eda6781b441bd85455f144be22e |
| SHA512 | 822bf9feda91c89539d263c6c9053163e8dfa3c511195bc61a9b608b4687fb4048733323f03dd30a7ab661a4be4acf6c8d8ae7bb6723771122540a9551899c3e |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\windows\modal\modal-controller.js
| MD5 | b04bdfd1c7d09bdbdb94a2455fdd677b |
| SHA1 | f000ba4866ff16d75bfd6cf446763498e19b12b1 |
| SHA256 | 4565ee81ffe222b31982088b1c18850076e3acf59198ebce08118e12cbd87ea1 |
| SHA512 | 3cb6ef0a16309046e7f407e7321eb12212b0eec09ec1a04b1d813f6c7a04546714865c3b398a93985041f598156ed905ebd23a64260801281b29ada9bc19ec5c |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\utils\modal-events-delegate.js
| MD5 | 117e4fdbdb0ecf211c8bd909efd337d1 |
| SHA1 | 9f8684d856b7c95bdffb139217dfd89f41373187 |
| SHA256 | 267661f932a2ea78d8c7a98cc03d1b18d7cb8132deb84636772ecd1fcfbe4857 |
| SHA512 | f474ee20b59d3d0c11f9f6aee6b6e2b66f7025beaec9841f88455e60533dc96cb4e27910be0dae92b0028c5578932b7f459fdb91d594ad010f72a3b3af6addb1 |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\models\notifications.js
| MD5 | 85afdf9897bb1236eff3afa40d15ece6 |
| SHA1 | 4362bdd139458eaf4a2dcb34294b43e2d53f4a26 |
| SHA256 | 9dd03dfc92bcb74f3725aae60e904c0a56cc84f299bbb8e863a869719f6fdd32 |
| SHA512 | 4ab86c6bafba18f53f01ca913ceaa80f14900107069a1d5f65b108d35690bd8b50b1a6cdf1563fc5775909f69208dabebd139f3cf3d8576269d560d57cf9994c |
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\js\utils\cookies.js
| MD5 | 6c60e675f8c8c68c0174b644d3a63a2a |
| SHA1 | 3635a3fe07ccc4a6f33a986ddb690522d0611abb |
| SHA256 | 9d3cb3822e20d6f5157faa02dc69bdaef44576c3fb5523e00aa152107ce30287 |
| SHA512 | 1dc9ec7b139bcf37107ecd673c01e4fcc606332ea1645a4a1b4e5d95f817d4c99d5964cd3d941a6a526689341d9623b17b4efc002cdf4c73404299d52b1be452 |
memory/220-222-0x000001BCEC110000-0x000001BCEC8B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu45F3.tmp\app\assets\fonts\lato\LatoLatin-Regular.eot
| MD5 | 6cfad5881181ae658a6efdd68889a690 |
| SHA1 | 5b54f6ccc20ed3a078fbdf94d7a68ac80002624d |
| SHA256 | c6c970b103b3c3aa83f7a45172619a4451ea5f015f9f3ef4fd08c9a4aa895cbc |
| SHA512 | ddd3d43540eb3d4eef48d0834136de1e7bf23a52f286d0a666cf57c7d685aadf1cea6d37c88f9d7ce5ad6143d7c3213f54b16a11f616b7dce154bba50997bbe7 |
memory/220-224-0x00007FF8597D0000-0x00007FF85A291000-memory.dmp
memory/4176-260-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-259-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-344-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-343-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-342-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-341-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-340-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-339-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-338-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
memory/4176-258-0x0000017E8C3A0000-0x0000017E8C3A1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\libs\cmp.bundle.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
93s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\cri\template.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
100s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\finish-with-recommended-app\finish-with-recommended-app-controller.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.197.17.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\app.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\finish-with-recommended-app\template.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\modal\modal-controller.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\progress\template.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\libs\jquery-1.10.2.min.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240426-en
Max time kernel
108s
Max time network
169s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.json\ = "json_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\鰀䆟縀䆁 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\鰀䆟縀䆁\ = "json_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\json_auto_file\shell\Read | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\json_auto_file | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.json | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\json_auto_file\shell\Read\command | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\json_auto_file\shell | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\manifest.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\manifest.json"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09027FBA38AF410A96385F1293638C9E --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=14A4E755A02D602A0E3684C9F3DEDCDB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=14A4E755A02D602A0E3684C9F3DEDCDB --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9460CDEF8AE79688EDFE87A83EC13C38 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=850800D3BFF38A3574395D1BF45846A8 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A664A58F7EF8494A329BAE31EF240795 --mojo-platform-channel-handle=2368 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\utils\strings-loader.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\privacy\privacy-controller.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\progress\progress-1-controller.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\settings\template.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\privacy\template.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:02
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\utils\cookies.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:04
Platform
win10v2004-20240508-en
Max time kernel
160s
Max time network
152s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622532853445106" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\index.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb251ab58,0x7ffdb251ab68,0x7ffdb251ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1780,i,12616499797924143386,8464430354922617165,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1780,i,12616499797924143386,8464430354922617165,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1780,i,12616499797924143386,8464430354922617165,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1780,i,12616499797924143386,8464430354922617165,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1780,i,12616499797924143386,8464430354922617165,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1780,i,12616499797924143386,8464430354922617165,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1780,i,12616499797924143386,8464430354922617165,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1780,i,12616499797924143386,8464430354922617165,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| RO | 54.192.235.124:443 | content.overwolf.com | tcp |
| RO | 54.192.235.124:443 | content.overwolf.com | tcp |
| RO | 54.192.235.124:443 | content.overwolf.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.235.192.54.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.195:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 195.49.178.192.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1952_AFQFFDCOFDQVTLMR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9e95d03284d295ad73edeefa193a1ecb |
| SHA1 | b70d94b1ce605679f0da17e1189fa53aafc61f42 |
| SHA256 | b7e3affe7bd0f3cadc7ea32716ca94883908764d2f9275366138a48bc58841ea |
| SHA512 | edef664c3aba9d8818c83fc5ea062c13b33a0a4730027b926996144e96b3e930ddbc5164512c8b60af9a6a405738b276eeb3957678976a91ef959c43514fcfc6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 353023914c1e69124fd7849a92fc732c |
| SHA1 | b3e0afc381f04614a6506c80676ac443070aed24 |
| SHA256 | 1a6fe666f82813b3da32652d611cbd44e61b21933b68817994f7fab57ae3fac7 |
| SHA512 | 896254d4ce705b05ca5e56144910b7f626243a831c17e0abbb5d0d300c4c7769254cc71243286c56fc902f3d7dc3a83b4d1d5459b96514d0db67afa5dd588023 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fd801c4f25a57f5e807aa229eb128248 |
| SHA1 | b7403c55f64663b8f2f53bff32addc8af62164c1 |
| SHA256 | 4075f90d0f6cc3cd1b3a3e6761493100fb18f716d7986e280389f15fed311439 |
| SHA512 | 7274c05c12c18d289872b68289c7e8d1e60c31a7f3480b45da388c78a0d832a4e424c029ca4359d69697a3b42cf44ce6784ac706899360615db022d02a2bbbed |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | faeaedaf957534e7e714ca2b94a8d497 |
| SHA1 | 980cc17de60e90cd08e7dc605f921585f07d4911 |
| SHA256 | 5b29ef56fb071c821475942512731eb0775f503d01463b8c1885c3045aece4d1 |
| SHA512 | 23c7a56bb545bc6279321de3365badb572b8a5decd3f81d180b63a4bdabb1b2b2d8203aeb71ca449010fd4b6a7ad110abf67ce89eb48412ee83961023fb1a4b9 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\finish\finish-controller.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-07 16:59
Reported
2024-06-07 17:03
Platform
win10v2004-20240508-en
Max time kernel
114s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\windows\finish\template.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3740,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |