Malware Analysis Report

2024-09-11 07:51

Sample ID 240613-zbbbeazblf
Target playfabspammerinstallbuild.zip
SHA256 800466ad1908aeb3152d7cf464195cb184791f6803d40367815cfc1f6630b75c
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

800466ad1908aeb3152d7cf464195cb184791f6803d40367815cfc1f6630b75c

Threat Level: Likely benign

The file playfabspammerinstallbuild.zip was found to be: Likely benign.

Malicious Activity Summary


Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 20:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe dfshim.dll,ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.application"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 1268 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 3028 wrote to memory of 1268 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 3028 wrote to memory of 1268 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe dfshim.dll,ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.application"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Network

N/A

Files

memory/1268-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

memory/1268-1-0x0000000000E10000-0x0000000000E18000-memory.dmp

memory/1268-3-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

memory/1268-5-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

memory/1268-6-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.config.deploy"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.config.deploy"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
SE 2.21.96.16:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 16.96.21.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240508-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe C:\Windows\SysWOW64\WerFault.exe
PID 2964 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe C:\Windows\SysWOW64\WerFault.exe
PID 2964 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe C:\Windows\SysWOW64\WerFault.exe
PID 2964 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe

"C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 548

Network

N/A

Files

memory/2964-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

memory/2964-1-0x0000000000C50000-0x0000000000C58000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.manifest"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.manifest"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
SE 2.21.96.16:443 www.bing.com tcp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
SE 2.21.96.16:443 www.bing.com tcp
US 8.8.8.8:53 16.96.21.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe dfshim.dll,ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\installer\Playfab Remote Player Creator.application"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 2936 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 2936 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe dfshim.dll,ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\installer\Playfab Remote Player Creator.application"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Network

N/A

Files

memory/1948-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

memory/1948-1-0x0000000000B00000-0x0000000000B08000-memory.dmp

memory/1948-3-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

memory/1948-5-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

memory/1948-6-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\playfabspammerinstallbuild.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\playfabspammerinstallbuild.zip

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Microsoft.Playfab.Gaming.GSDK.CSharp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Microsoft.Playfab.Gaming.GSDK.CSharp.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

100s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\installer\Playfab Remote Player Creator.application"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 4176 N/A C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 1996 wrote to memory of 4176 N/A C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\installer\Playfab Remote Player Creator.application"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
SE 2.21.96.16:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 16.96.21.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4176-0-0x00007FFD407B3000-0x00007FFD407B5000-memory.dmp

memory/4176-1-0x000002A161390000-0x000002A161398000-memory.dmp

memory/4176-2-0x000002A17BA10000-0x000002A17BB96000-memory.dmp

memory/4176-4-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

memory/4176-5-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

memory/4176-7-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.application"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 4676 N/A C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 3348 wrote to memory of 4676 N/A C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.application"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Network

Files

memory/4676-1-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

memory/4676-0-0x0000026D232D0000-0x0000026D232D8000-memory.dmp

memory/4676-2-0x0000026D3D8C0000-0x0000026D3DA46000-memory.dmp

memory/4676-4-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/4676-5-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/4676-7-0x0000026D3DC40000-0x0000026D3DDE9000-memory.dmp

memory/4676-8-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

memory/4676-10-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe

Processes

C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe

"C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 880

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
SE 2.21.96.16:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 16.96.21.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3852-0-0x000000007500E000-0x000000007500F000-memory.dmp

memory/3852-1-0x0000000000540000-0x0000000000548000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

97s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Microsoft.Playfab.Gaming.GSDK.CSharp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Microsoft.Playfab.Gaming.GSDK.CSharp.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
SE 2.21.96.51:443 www.bing.com tcp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 51.96.21.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\PlayFabAllSDK.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\PlayFabAllSDK.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\PlayFabAllSDK.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\PlayFabAllSDK.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.config.deploy"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\deploy_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\deploy_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.deploy C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\deploy_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\deploy_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.deploy\ = "deploy_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\deploy_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\deploy_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2868 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2868 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2652 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2652 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2652 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2652 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.config.deploy"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.config.deploy

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.config.deploy"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 83614a041e0e816a70cb4b50aa75618c
SHA1 f40d662e9df6e6ff1a0eb7ffef5ccb6b7bbb5c9e
SHA256 1dedbfe85fcb3df8d05dd6687e8a74ca3ba051f71c5d19cad35f092f95099875
SHA512 d8584e5638f1a87f3b9b41554facb020f245e5bb420d79cca086316fa596272482d035f63669bb25b51a5f722c689119b0353ee38e47a7e6bcb9b8aaff2e4420

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.manifest"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\manifest_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\manifest_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\manifest_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.manifest C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.manifest\ = "manifest_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\manifest_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\manifest_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\manifest_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 912 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 912 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2884 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2884 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2884 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2884 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.manifest"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.manifest

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Playfab Remote Player Creator.exe.manifest"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 23d17a6325afec7a8c68e652d06ff225
SHA1 c4688bc017450e46036506d835804d664047ec6d
SHA256 a7c88d642160e93357bad795bd40643d06c1d48f89cca0d118389e5f7e76d8e4
SHA512 f0ce0db785562ba5e33039d0c7fa9de61efcba76d17c0ec501ffa99e71e3fa3ec52249ff112abf94783bfbfb350a29b17e2b80575f0faececfc57d6a2bc74ca5

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240611-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Polly.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Polly.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:35

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\installer\setup.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "8RMMMP16ZWZ3X9Z6Y0LX4K9H" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "0D5GL3O6B92EYYJO65C7LNPJ" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "ZDNP4C5P9NJ0ZETY3M89DQY6" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\installer\setup.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 792 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\installer\setup.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\installer\setup.exe

"C:\Users\Admin\AppData\Local\Temp\installer\setup.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/5016-0-0x00007FFFD6D23000-0x00007FFFD6D25000-memory.dmp

memory/5016-1-0x000001A6B2DA0000-0x000001A6B2DA8000-memory.dmp

memory/5016-2-0x000001A6CD3F0000-0x000001A6CD576000-memory.dmp

memory/5016-4-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/5016-7-0x000001A6CD360000-0x000001A6CD3B0000-memory.dmp

memory/5016-12-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/5016-17-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/5016-18-0x00007FFFD6D23000-0x00007FFFD6D25000-memory.dmp

memory/5016-19-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/5016-20-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/5016-21-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

148s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\playfabspammerinstallbuild.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\playfabspammerinstallbuild.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240508-en

Max time kernel

119s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Newtonsoft.Json.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Newtonsoft.Json.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Newtonsoft.Json.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Newtonsoft.Json.dll",#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Polly.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\installer\Application Files\Playfab Remote Player Creator_1_0_0_0\Polly.dll",#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3064,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
SE 2.21.96.51:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 51.96.21.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-13 20:32

Reported

2024-06-13 20:34

Platform

win7-20240419-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\installer\setup.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\installer\setup.exe

"C:\Users\Admin\AppData\Local\Temp\installer\setup.exe"

Network

Files

N/A