Malware Analysis Report

2025-01-22 08:57

Sample ID 241027-qhta5avrdm
Target MeetenSetup.exe
SHA256 cc62fd2d6076c75219c092012f06415f6addbeb5cedab02f4f7eea1d60e34aa0
Tags
execution discovery defense_evasion persistence privilege_escalation spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cc62fd2d6076c75219c092012f06415f6addbeb5cedab02f4f7eea1d60e34aa0

Threat Level: Likely malicious

The file MeetenSetup.exe was found to be: Likely malicious.

Malicious Activity Summary

execution discovery defense_evasion persistence privilege_escalation spyware stealer

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Drops startup file

Looks up external IP address via web service

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops file in System32 directory

Hide Artifacts: Ignore Process Interrupts

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Browser Information Discovery

Access Token Manipulation: Create Process with Token

Command and Scripting Interpreter: JavaScript

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 13:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win7-20241010-en

Max time kernel

7s

Max time network

21s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2360 wrote to memory of 2940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2360 wrote to memory of 2940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2360 -s 88

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win7-20240903-en

Max time kernel

119s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/node-api-dotnet/linux-x64/Microsoft.JavaScript.NodeApi.node]

Signatures

N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/node-api-dotnet/linux-x64/Microsoft.JavaScript.NodeApi.node

[/tmp/resources/app.asar.unpacked/node_modules/node-api-dotnet/linux-x64/Microsoft.JavaScript.NodeApi.node]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win7-20241023-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

159s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 768 wrote to memory of 4704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 4704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 768 wrote to memory of 3536 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeeb7d46f8,0x7ffeeb7d4708,0x7ffeeb7d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,13026099909917636913,3702455440165106247,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5460 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 61cef8e38cd95bf003f5fdd1dc37dae1
SHA1 11f2f79ecb349344c143eea9a0fed41891a3467f
SHA256 ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA512 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

\??\pipe\LOCAL\crashpad_768_NPPSWFNZQWMOFYQT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0a9dc42e4013fc47438e96d24beb8eff
SHA1 806ab26d7eae031a58484188a7eb1adab06457fc
SHA256 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 117bd0ab43666ec625a5b9649cadff3f
SHA1 8d04f8ccf82f6756d60630ca0b1ee2e827f89d0f
SHA256 6077dc2e0ffee0001ff8f8f2693b5ba83b826b4de64924ffab3616b7177fc5d0
SHA512 fdde136bead349ac08b26745c8768b26622aa438a117b907ed97a6081b6aea5b652b7ca56f992aa444953d5ee506c6ad3eb0a06b85b33e0fae4d853854b6a2f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c26fe6a6eac4977e54fe1698bc55d9d2
SHA1 b359d344a97f4131bca069044f4d41f205cff82e
SHA256 09622881af442080464fd4005bc65f09b4718957c45600df7e9b7df293646644
SHA512 3f30fa0cab545e9f2aa6c4f7b8f60b8949ab2120e6e1d1eede4e72d3edff0c2c02544184f616cbad318d47fb6d4945971f109d16e2c4a4cac161e36ca0f2735d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c3703a9b37d0f0bddc20da456b8ca3ff
SHA1 673d99a7e5a20215339e60c2606f4099f9e11230
SHA256 90bd9b43fd38eafc451083d2798515dc9d67c8d2bc8d7d2eac514cd0a98b325d
SHA512 469836fccd4b79c49c5341de9def03ff07812b5c07ae0a2186473d7571f4ab05ecdfb31d157054faf773b70bac10d148093f904129e6352e6f8c3b5ebbfc206f

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\index.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win7-20241010-en

Max time kernel

119s

Max time network

141s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000002498de1bb4cc31743e264a2593fd62d98b45aff6d50bb02cfe18bca15bfac5d4000000000e8000000002000020000000db20a2fc16bf675e3d21c24fc1360ed7347bbbf22af78f588b472beaa9cec51a9000000000a07ed4441b584e29699911edb1d45a4ee37c145b318e83302ffd7afe18245834ee73ebc19210aeae5d46b6518be63e43798731e33864e6f5a8d5efbdf5f9806d4036f7265f81f18b6cd39a8f1eedfd5782edac8f85e8c7d7478164326b03db8e15095d71156955000f1731343b8a27807bf595740dd65414a8bef405805ac1041133615d0b47fd16c86284409af3cc4000000041c92772120502b5cbfc9f578a1097ee0accc3f08f80da94612e26d34a668d649e6b631e7aa1c442d96376404df3b2e13305a1527526321b9c240e7c3b4e9565 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED9D9D01-9465-11EF-ACA8-72B5DC1A84E6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436196970" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000009dd6bbc3164fd9aa0a8082cfa73e0cbd3649810fc264b31b23773d52fbf94a0c000000000e800000000200002000000043a6ec5cfb5158d1a01076dfb984064cc1fdd27b03f007da05e4699e4a587bc920000000476f62bdc91cd6ceaa18315d97521d57dc1f55bd795d8aef9a9048f56f853cd940000000a1b7b05b995bab74dae37a6f94bb1a8448f9d940b8ae2a4e938372c82c681081afa587e05b19c175cfe12c957b584b302369d0e681218ff577c13e71783fa6ab C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0778cc27228db01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab7DA9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7E5A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36d612a8302c6e748176399512dc2be3
SHA1 4593e86778a8eca7f2e0dcca3ab68ff1dc686a35
SHA256 9641ef209391317b7c224a294da09c54b3323aa0f4b836ce12300ad78d87e95c
SHA512 e38a8bcc1ce95ddfe258293cd0e48d6c25aa1a98cdf6992819676f4259b91215cd374f663e20c6b303be0cee1c4ae619f15c7fd827185e772722fea9fd30db91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a4c2de40a6168d488c621aa05640f84
SHA1 55d6f246b112026e71638514659fa2373331d116
SHA256 5c8cc9540f921c46f3652172cf4a72cbd1d4a4b940cd680f547f1012b54ae211
SHA512 0d27c8c9fa93ed0444a92136078ebb7cf48ca20143c758f4e59a3fb097d38a89a7b694ad39bb8a65f88be35405e2e0eb6e478b4285189e02189b475888680ffa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 501c0bf4d48179e9bc3fd052d79e17b8
SHA1 db58c8cd97cfb4ad1ac95d940921e874e76266d3
SHA256 99c36cd7ee56097f035c5989c1aac7f5f3d029f7ec24eaed0d1d55932460eac3
SHA512 b2f528e1079471d993cd87a99f5ba7c35eb7c9052b7a89b1c8fbb1343020553038cec6a1872a42f02c68f8715fab1fc6dc3e4aeeff5c2d6d149520e71377a061

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46bbacf7c79b6af336810e1ddb515c4b
SHA1 aab1623ba3cf8dfa5f2770e64fa778d7ba56279b
SHA256 88e8373b4026889124594b51be99090352a34602f941eb3863371faf38c4f7a6
SHA512 3869e83a046e4dd84b37a72b7c5098c6c697430f10976dee87eeed0c472fd42998a2cac72fc6d9988e708a83ea5e0da49c095ea582756179f5ce7b56d3a3aeb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd20d55ce31c864514141bb952a227f9
SHA1 7f328ef379bf95132003f2d05308b095eb58ce98
SHA256 27d00c5f5e2de158ac62b5469996c3839b8f6aa3419cb36666699126e0c0d7f9
SHA512 c616eaf3d1507267091172243f6cd96e977d0b9eea5a8b3064778ee4b58ef889b01d3f404b7b70879998f52a7d7fcf7e11ce6b2c56508a4b338b4995bde83aa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29315d25ba80e43cc3a15a115161e9d5
SHA1 b0b4924854d24e9f0bc2238d01ca3bcec7d0fcd5
SHA256 0c90b45a5f599b030f9a8ce5861074ba88d13e6fc85e8a525e18fe02550cdd6d
SHA512 7e9deb4b8f83e7e4b54b1c488636629f9914e08ddf0630cc35d15313400d74fcea1bb3d483bb9aa507faf44d0a1ecbaac674725b79c5053e7d1f893a52fdc15b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba36a404c7bc836429c5fe2bb12509fa
SHA1 0b97c8afa0e388ccc98cd5a0617c0c36ebdeea0d
SHA256 43bd127916f2bd28d3aa1a86cf935374dd9c51d9e4ec5f6e4cde9f432b67da43
SHA512 9550933365f64bedd3d504420c67d917f95b628cdfacb9d2005a76fb989027817c8f0180c44df61da70868e7c6a1e129bd079081afa1bfcbb16178be4dce43ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2825961e3a023f6c00b1f0f87aadda3
SHA1 da192b14cc12dbc7e9714959cae01a1f02c6d6e4
SHA256 9108b8ea99659f31fd2387e994b685fd406f86a5259655809d72a387e5c7dfc1
SHA512 a65a944f7ad36a4555bf934a38e9bc5f0baf72ae4262f58e030db4ea4bfe614adce8e69ba311868c6694fa11b14d53d584b9ce4671fd06548fcac1c183fafb60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54f21d23b6a0e734a185a5b1e0ee2ff3
SHA1 3ef3cc93fbeb0f1e50b741033c8a2a87a7b13774
SHA256 5f477aaca8ab4bac3c161c3ba8e592e08d92364c39ff9b9fdc16d874f8441d4e
SHA512 6649619108d07bdf34c9885d4c354e10112c0e25b0090aa671e5b3bb7c6df44f6d83c7540bc8520948cf31ac7c8e7b7cb800a976b2604872293af30bbb707b1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b75fba88d303b781fda4022eab81b11f
SHA1 5ff35ecb0c121cc9734e13e52b063aa06637a328
SHA256 dff11b91d1e7a1e5c0b485c7ebfedf615525c33a4d3c6bfb5ee10baba6090b85
SHA512 11ef6db20b766e3a85e13c475efebaa800fa4a42cb7cd1dd25d9b9509171ee9475ef528e4af734317509db6106392e4743d7e4ec4336e48745f5f54708e373f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cae049af377f48ba5705bf08928fa4d
SHA1 36ab5b0af78b80b88c1ac251c1d06fe88d6c8d1a
SHA256 28072c61269a5ecac571495b978f72f96dad2530ee1c33d9c8a2f09ba2c45040
SHA512 08c653dd08078e53598b3007e2ebb3d4cd594255d2ca460c23ee7d589a45616f5db7880b5e71f00637e05daae7b4234cb18a8f39338817417f9e6579ae156a3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ca51d8b1578765ac73484a51136d82e
SHA1 94648e2d3a582c58c84cfb95e7298571e699fbd9
SHA256 f1ada7d4d42a773e2f53e321a1c41601ddce2c0cfaef6b7bf139b97d97e2af6b
SHA512 ff356720cb10138cf44e9e8e645b8982b25ce78c4605a202edbab846e03d1f3bc42276fb4a00435f733fb49ea663a11f1fea92307afa430fa1c4913334e12c30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08c79104e076ae40de0395b3ae2bf1bb
SHA1 ca49bba9a7314d404d7c68f786de401d891fef92
SHA256 95545634eecb016fa25798c892fb73bae02afdc2536c815f4b75207e28560b49
SHA512 5165566a856f558497b931b22a87478f4c8d99ace598d9f5a31d08d2909820d569e1d6be71556cecbe187d8edbe0ab9e53f8673f7a8e3d01aa36fd8e616cd0ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdb4730c1c1538c42fb011ef81f8d979
SHA1 0c1020203f7ff1bf76d9dd003053188d9a829b36
SHA256 484043c13504dfed05561368dba7ca7e21f2873f39c927cfeab608ac3185ff4c
SHA512 0d88ae3b9c1d7929c7e4caa24ddffad903c2b8679942ae927b79718d4628fb7b0c15f8f6fa5aa2274a6bd2849441d063129ef3500673f36563e928907e275dc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7216560c83843478cfeecbbae47c10ff
SHA1 bef8336b3a5415dda0220fe0dd8aeb63a873a503
SHA256 8bbb1050ee7166f9956c63ba0ba7db37af89b1e4da5e145fbcd5d926372e648b
SHA512 d5c52f7b208fc6300b7f8a718c1299331b6563a7a394dbe06d1cb47423638be7f3c06c67dfc00ca6dd993ce7b5d51bbc91cd11a1ecbcab3b9537f011b01f5d9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aaeec0e3c8d131533ee07922d83cb8b1
SHA1 ae94afd312299f61b934a79a75b88d09e4d809d7
SHA256 5d61d3feab3641ace24e76388ec8c918deb92019aff88da11e84cf7e403265cc
SHA512 e037ca4587c96c10ad1e6cf40024c7b2db5c4e6e4b0dc7efa04d5143840eecfc66df87587ba169b4beb059c122e0426aabb205da899c0b4cd92e5ac252cd58d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d25689bf7265cfa7852f7572326ca03
SHA1 eb20033f8d77c097a3074c312eb092e57a1b3c68
SHA256 1dc614b0eea67dc9f45cb7ac9cf418316da971c972fa44d46eee41a7b3ad36d6
SHA512 05c94e7c2fb926b96776b6ea69b94c28017d9e374e9ad5beb8f5f3b6311dce8b091273e0658203a41b4df6e046871e166c3f9338be1c9582f18042e5aa9ff5f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MeetenSetup.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MeetenSetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MeetenSetup.exe

"C:\Users\Admin\AppData\Local\Temp\MeetenSetup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 1200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 1200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 1200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1200 -ip 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win7-20240708-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 220

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win7-20240903-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win7-20240903-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 220

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\init.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3472 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3472 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 3436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1536 wrote to memory of 3436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1536 wrote to memory of 3436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3436 -ip 3436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Meeten.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateMC.exe C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateMC.exe C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UpdateMC.exe" C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\exe\directinstall.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\system32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Browser Information Discovery

discovery

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Users\Admin\AppData\Local\Temp\Meeten.exe
PID 1200 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 4980 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4980 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1200 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1944 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1200 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 3512 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4304 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1200 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 4752 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4752 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1200 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\Meeten.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4788 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 2384 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe
PID 2384 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe
PID 2808 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe C:\Windows\System32\Wbem\wmic.exe
PID 2808 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Meeten.exe

"C:\Users\Admin\AppData\Local\Temp\Meeten.exe"

C:\Users\Admin\AppData\Local\Temp\Meeten.exe

C:\Users\Admin\AppData\Local\Temp\Meeten.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\meet-app /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\meet-app\Crashpad --url=https://f.a.k/e --annotation=_productName=meet-app --annotation=_version=3.7.482 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.3.3 --initial-client-data=0x4ec,0x4f0,0x4f4,0x4e8,0x4bc,0x7ff6e58a4688,0x7ff6e58a4694,0x7ff6e58a46a0

C:\Users\Admin\AppData\Local\Temp\Meeten.exe

"C:\Users\Admin\AppData\Local\Temp\Meeten.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1852 --field-trial-handle=1856,i,15722949688455227504,8444058153914349694,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Meeten.exe

"C:\Users\Admin\AppData\Local\Temp\Meeten.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2104 --field-trial-handle=1856,i,15722949688455227504,8444058153914349694,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Meeten.exe

"C:\Users\Admin\AppData\Local\Temp\Meeten.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.meeten --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2512 --field-trial-handle=1856,i,15722949688455227504,8444058153914349694,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process "C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe" -Verb runAs -ErrorAction SilentlyContinue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process "C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe" -Verb runAs -ErrorAction SilentlyContinue

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe

"C:\Users\Admin\AppData\Local\Temp\temp032412424z5RbP\MicrosoftRuntimeComponentsX86.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" csproduct get UUID

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe' -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"

C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe

"C:\Users\Admin\AppData\Local\Temp\UpdateMC.exe"

C:\Users\Admin\AppData\Local\Temp\Meeten.exe

"C:\Users\Admin\AppData\Local\Temp\Meeten.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\meet-app" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2200 --field-trial-handle=1856,i,15722949688455227504,8444058153914349694,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 deliverynetwork.observer udp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
DE 199.247.4.86:443 deliverynetwork.observer tcp
US 8.8.8.8:53 meeten.gg udp
US 81.28.12.12:443 meeten.gg tcp
US 81.28.12.12:443 meeten.gg tcp
US 8.8.8.8:53 86.4.247.199.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 12.12.28.81.in-addr.arpa udp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 o4507334448250880.ingest.de.sentry.io udp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io tcp
US 8.8.8.8:53 213.62.120.34.in-addr.arpa udp
US 172.67.74.152:443 api.ipify.org tcp
US 81.28.12.12:443 meeten.gg tcp
US 34.120.62.213:443 o4507334448250880.ingest.de.sentry.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 172.104.133.212:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 o4506972866674688.ingest.us.sentry.io udp
US 34.120.195.249:443 o4506972866674688.ingest.us.sentry.io tcp
DE 199.247.4.86:443 deliverynetwork.observer tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 212.133.104.172.in-addr.arpa udp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8885 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8880 172.104.133.212 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
DE 172.104.133.212:8885 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp
DE 172.104.133.212:8885 tcp
N/A 127.0.0.1:2342 tcp

Files

\??\pipe\crashpad_1200_CEGTBLFHGRQPVSOL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_entxhewe.gc1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2384-81-0x000001FF5A1D0000-0x000001FF5A1F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

MD5 b36835f5b463de59dc721fc1cfa29db2
SHA1 669737df57038106dbe238eb759717d1478c38ab
SHA256 19bdee5e8686de03c4152478ac8e6e355635418bd227e002ad8e85af9ff035fa
SHA512 a40ab223fe6adc5dc3dd4f02eba1128900db51a2060444c692503a7b9f8fc5d63d67e1af4a79172bfc0473627e5ca389213b4cc9b520f5f9fb002a5395cd0338

C:\Users\Admin\AppData\Roaming\meet-app\Network\Network Persistent State

MD5 32cbf790e03598eb50767ff5184c051d
SHA1 387a0399ed7136294a7412679d2e31169f2877d2
SHA256 caff4397cad3cdee7e1175fc9e29daabe71e3f3498930d31ad31f883a9ac872e
SHA512 d0bf8e2bc25177bf80e35ae62d94385c42f638871b349c63d850340feb9ef991f6fcabe94032c09f19dd85745ab983dbf5c6c26451d496178a526e1e7f89249d

C:\Users\Admin\AppData\Roaming\meet-app\Network\Network Persistent State~RFe58ce67.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/3516-207-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-209-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-208-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-219-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-218-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-217-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-216-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-215-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-214-0x000001CB07140000-0x000001CB07141000-memory.dmp

memory/3516-213-0x000001CB07140000-0x000001CB07141000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 4992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 4992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 4992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win7-20240903-en

Max time kernel

121s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Meeten.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Meeten.exe

"C:\Users\Admin\AppData\Local\Temp\Meeten.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.DotNetHost.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:21

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\node-api-dotnet\net472\Microsoft.JavaScript.NodeApi.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MeetenSetup.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MeetenSetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MeetenSetup.exe

"C:\Users\Admin\AppData\Local\Temp\MeetenSetup.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-27 13:16

Reported

2024-10-27 13:20

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 220

Network

N/A

Files

N/A