Malware Analysis Report

2025-01-22 08:50

Sample ID 241027-s1ea2axjbs
Target 5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N
SHA256 5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8

Threat Level: Likely malicious

The file 5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Checks system information in the registry

Program crash

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 15:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win7-20240903-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe

"C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win10v2004-20241007-en

Max time kernel

104s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win7-20241023-en

Max time kernel

119s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 240

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win7-20240903-en

Max time kernel

21s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win7-20241010-en

Max time kernel

15s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 236

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win10v2004-20241007-en

Max time kernel

105s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3092 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3092 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win10v2004-20241007-en

Max time kernel

103s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5112 wrote to memory of 264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5112 wrote to memory of 264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 264 -ip 264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCAppStore = "\"C:\\Users\\Admin\\PCAppStore\\PCAppStore.exe\" /init default" C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PcAppStoreUpdater = "\"C:\\Users\\Admin\\PCAppStore\\AutoUpdater.exe\" /i" C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Watchdog = "\"C:\\Users\\Admin\\PCAppStore\\Watchdog.exe\" /guid=755B0F1A-BB38-4BB2-BC7E-240C892146EEX /rid=20241027153549.672240646968 /ver=fa.1091y" C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\PCAppStore\PcAppStore.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133745169635167178" C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{EBA82807-5D54-4CE7-B451-1D0D365CD840} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\Watchdog.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\Watchdog.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\Watchdog.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\Watchdog.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\nwjs\NW_store.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A
N/A N/A C:\Users\Admin\PCAppStore\PcAppStore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3092 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 4660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5028 wrote to memory of 3140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe

"C:\Users\Admin\AppData\Local\Temp\5cf96910434d5e17571532d88c6c0fdbeea02247ec7cb2f2fc664d12980baed8N.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pcapp.store/installing.php?guid=755B0F1A-BB38-4BB2-BC7E-240C892146EEX&winver=19041&version=fa.1091y&nocache=20241027153522.580&_fcid=1729353733633496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab22c46f8,0x7ffab22c4708,0x7ffab22c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5024 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp

"C:\Users\Admin\AppData\Local\Temp\nsu930A.tmp" /internal 1729353733633496 /force

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16420257302852157872,221480137498757122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1

C:\Users\Admin\PCAppStore\PcAppStore.exe

"C:\Users\Admin\PCAppStore\PcAppStore.exe" /init default

C:\Users\Admin\PCAppStore\Watchdog.exe

"C:\Users\Admin\PCAppStore\Watchdog.exe" /guid=755B0F1A-BB38-4BB2-BC7E-240C892146EEX /rid=20241027153549.672240646968 /ver=fa.1091y

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

.\nwjs\NW_store.exe .\ui\.

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\pc_app_store\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\pc_app_store\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\pc_app_store\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\pc_app_store\User Data" --annotation=plat=Win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x280,0x284,0x288,0x27c,0x28c,0x7ffaad3ea960,0x7ffaad3ea970,0x7ffaad3ea980

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\pc_app_store\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\pc_app_store\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x1b4,0x1b8,0x1bc,0x138,0x1c0,0x7ff64f488a60,0x7ff64f488a70,0x7ff64f488a80

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2216 --field-trial-handle=2224,i,439179382826392573,16816595035193778817,262144 --variations-seed-version /prefetch:2

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=2256 --field-trial-handle=2224,i,439179382826392573,16816595035193778817,262144 --variations-seed-version /prefetch:3

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=2280 --field-trial-handle=2224,i,439179382826392573,16816595035193778817,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --nwjs --extension-process --no-appcompat-clear --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\PCAppStore\nwjs\gen" --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=2224,i,439179382826392573,16816595035193778817,262144 --variations-seed-version /prefetch:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=4624 --field-trial-handle=2224,i,439179382826392573,16816595035193778817,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2224,i,439179382826392573,16816595035193778817,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=632 --field-trial-handle=2224,i,439179382826392573,16816595035193778817,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 pcapp.store udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 209.222.21.115:443 pcapp.store tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 115.21.222.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 delivery.pcapp.store udp
NL 195.181.172.2:443 delivery.pcapp.store tcp
US 8.8.8.8:53 pcapp.store udp
US 8.8.8.8:53 e6.o.lencr.org udp
US 159.223.126.41:443 pcapp.store tcp
US 159.223.126.41:443 pcapp.store tcp
GB 2.18.190.80:80 e6.o.lencr.org tcp
US 8.8.8.8:53 2.172.181.195.in-addr.arpa udp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 41.126.223.159.in-addr.arpa udp
US 8.8.8.8:53 repository.pcapp.store udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.238:443 google.com tcp
GB 172.217.16.238:443 google.com tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 8.8.8.8:53 232.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 34.200.250.142.in-addr.arpa udp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 36.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 216.239.32.36:443 region1.analytics.google.com tcp
BE 74.125.133.157:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
NL 195.181.172.5:443 repository.pcapp.store tcp
NL 195.181.172.5:443 repository.pcapp.store tcp
US 8.8.8.8:53 157.133.125.74.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 5.172.181.195.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 209.222.21.115:443 pcapp.store tcp
US 209.222.21.115:443 pcapp.store tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 d74queuslupub.cloudfront.net udp
US 209.222.21.115:443 pcapp.store tcp
NL 18.239.94.105:443 d74queuslupub.cloudfront.net tcp
US 8.8.8.8:53 105.94.239.18.in-addr.arpa udp
US 8.8.8.8:53 80.41.65.18.in-addr.arpa udp
US 8.8.8.8:53 174.15.239.18.in-addr.arpa udp
US 8.8.8.8:53 pcapp.store udp
US 8.8.8.8:53 pcapp.store udp
US 159.223.126.41:443 pcapp.store tcp
US 209.222.21.115:80 pcapp.store tcp
US 209.222.21.115:443 pcapp.store tcp
US 209.222.21.115:443 pcapp.store tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.196:443 www.google.com udp
US 209.222.21.115:443 pcapp.store tcp
US 209.222.21.115:443 pcapp.store tcp
US 8.8.8.8:53 196.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 repository.pcapp.store udp
NL 195.181.172.2:443 repository.pcapp.store tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 repcdn.pcapp.store udp
US 8.8.8.8:53 repcdn.pcapp.store udp
US 8.8.8.8:53 repository.pcapp.store udp
US 8.8.8.8:53 repository.pcapp.store udp
NL 195.181.172.2:443 repository.pcapp.store tcp
NL 195.181.172.2:443 repository.pcapp.store tcp
NL 195.181.172.2:443 repository.pcapp.store tcp
NL 195.181.172.2:443 repository.pcapp.store tcp
NL 195.181.172.2:443 repository.pcapp.store tcp
NL 195.181.172.2:443 repository.pcapp.store tcp
NL 195.181.172.2:443 repository.pcapp.store tcp
US 8.8.4.4:443 dns.google udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 ev.pcapp.store udp
US 147.182.211.77:443 ev.pcapp.store tcp
US 8.8.8.8:53 77.211.182.147.in-addr.arpa udp
GB 172.217.169.42:443 tcp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
DE 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 evcs-crl.ws.symantec.com udp
SE 192.229.221.95:80 evcs-crl.ws.symantec.com tcp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
SE 192.229.221.95:80 evcs-crl.ws.symantec.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.4.4:443 dns.google udp
GB 172.217.169.36:443 www.google.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
SE 192.229.221.95:80 evcs-crl.ws.symantec.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsy761B.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nsy761B.tmp\nsJSON.dll

MD5 f4d89d9a2a3e2f164aea3e93864905c9
SHA1 4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a
SHA256 64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb
SHA512 dbda3fe7ca22c23d2d0f2a5d9d415a96112e2965081582c7a42c139a55c5d861a27f0bd919504de4f82c59cf7d1b97f95ed5a55e87d574635afdb7eb2d8cadf2

C:\Users\Admin\AppData\Local\Temp\nsy761B.tmp\NSISFastLib.dll

MD5 9c7a4d75f08d40ad6f5250df6739c1b8
SHA1 793749511c61b00a793d0aea487e366256dd1b95
SHA256 6eb17c527c9e7f7fea1fdb2ea152e957b50a56796e53ce1e5946b165b82deaef
SHA512 e85235307b85ffd3aab76ff6290bee0b3b9fd74c61a812b5355fe7b854d4c6b77bd521e52638d28e249a43d9ec7aa6f2670af2b1c671091492c7fe19d6f9a4e6

C:\Users\Admin\AppData\Local\Temp\nsy761B.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

C:\Users\Admin\AppData\Local\Temp\nsy761B.tmp\inetc.dll

MD5 a35cdc9cf1d17216c0ab8c5282488ead
SHA1 ed8e8091a924343ad8791d85e2733c14839f0d36
SHA256 a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df
SHA512 0f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

\??\pipe\LOCAL\crashpad_5028_BBRRLKKRGSVFZIBT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7cb450b1315c63b1d5d89d98ba22da5
SHA1 694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA256 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512 df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 909b9d07c8363bd45b89ad3dc1db7f98
SHA1 b9a890fbdea4119ccd15380d8d36325b1ace1d26
SHA256 92173511548583341ba278110fba214997dfbb8e2a957af6010ecb4352c3ae58
SHA512 4ec27df528842747b58a7701412d1b5afbb7a0ab069c0847c40b3e14e33462b24af4702ee8f1583a8a20dbd17cdc239a8b050ef93709c74451aac80e4b794b2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0

MD5 220694d3acc7c2093811d7aec3f51bea
SHA1 2a8525170e719a0a53f67bd593267c52b09b42b3
SHA256 ec201403cfd24431b7ce52d080c7d095c4ac69bffe11bf6cbc95849512ccc68c
SHA512 4f9c4593037069953fada53634c7b33ec4de31c484136d4b9c3b015bd6556ea8587e59414cd2bb20ecfff168132385ccbd39097799cf92e8ff06b67afff81d20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0

MD5 e42516016f2916b1dc7c52cafda525fe
SHA1 38e15c338be91e4ade9d9e28190bb5ac8946eecb
SHA256 1ff66aa79937fcd5022085ea77214b567d49480b2ba7c6d137107cf8f3d1fb64
SHA512 7bc011109aaed0d375aa4d0f9a52200327b7e578785c76fad166256c8359eb4796b256d880c63daf032d33ef92534d8f3d23626708bda81bb2889aad5dee7b75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE

MD5 9fa74727e591b0483a3be81ebbff35be
SHA1 27e632e8dfa3b0ff66c7934462f3524277dd65a9
SHA256 e8ebedfce0fcf0a4067ec146ebab178119595729a4f3702bfe114e1a06022732
SHA512 8f2667297d8112cbd99e15265e0e948c4d8e76a150a8b4c9f97449923c0da22e74bdf7906e8bb13f05a4b62e6cdb089590973a4aaccab3db9dc6d88176e2b737

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE

MD5 528026494d6ddd6dd495aef7a43cbfcd
SHA1 626c0d5b1f052e430f0f2b959c604df9fc0a0350
SHA256 76d52474cf674c2cee7adc10f45307d05b187d066a35f0b7be6bdf590910014b
SHA512 897023fdf325e9351eda608fbccb6098082d0de3a3ab80b545440bb8290e16dbbea2f7493c839a6709d16c5c10c055fe09911b9dfb47e9c2d69e23de57bfe6b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 128d1d81824c9a1ae1b6241555d2a5cc
SHA1 6c7c165d0c87e7d6edf0ad5bbc31d643103081b1
SHA256 ef72386462ec4ffb7e9f9de68b1eb021c29d0143acc3554309562f53dfb40fa3
SHA512 f5cac9d5e8204f30ba26d50977532a7eddc2aa81711861b0680ca4037ec18d1a44317b6ee0e64185b1cdc092e592c776d31a2a56257ab43806011d920426c4d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bd5166103d29ba9cf22b3c4b27c492a2
SHA1 77093e276d16303173233d281e336d5907c2c03e
SHA256 c774349e6d8c10a660d2bbeb4f1388b33734762aeeaaf11aa529b106498c95dd
SHA512 f5b4408c8ee9f38e1bf2aa47a2bd0af6dc9264aba224b2435b0d0f6cefa4d83aaa08cff36a81895c3b3a7b662fb3ab4acb77445e2e42021546c9533a67e46503

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 48ec4d26a255c4f29d676c6837084f45
SHA1 52c009970f08aae59f642008a0d3fd862eb8d2f8
SHA256 15f7edeec0e909fd6590104b989fcd9566ebddeb49d8749715251442436c936c
SHA512 ebd1bde3a92ffb3cc59a6c842c387995b3bc01f6974de730620f46df5a10f560cab967b1859f22c8f1194d01c51ac79653c68056256dcdcfd4b4f351f9837155

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e918.TMP

MD5 cb30798bc094e78740058980f38cd08d
SHA1 ae3d2808773a30747bab208d9e91eb680311c307
SHA256 932890ee373c5d2ea77a5a1cc63fe5212e4b0cb3ffc90894d07d842402c9b40b
SHA512 ac06bf24a69b13ff8f483d97cc0b64686e21f59dc257bd98f842b03bf429e54b2e54323a9cb33bd1b1f762db60e752731cae764f0482f879255aa10b7a07441a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b78ec6d483fc8eb0213dcd4b0f492450
SHA1 305f66a4646ecdc1a370a80375dee7f5000abe32
SHA256 009e28b9574063c07d9fa0b0f581091f23bdb598016fb21582e526f8a20109e8
SHA512 d8eee1aea9b080971bf5c825dd2178c642a86e7f14b8f4e522e4343e8d1527b4947ae12372eaad59a55bde4b4f19456040eb30dd75f75c2c943e81c584061546

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6e22b283a05474732b5c5f182b3b3bd9
SHA1 6acbb7b80b44a024a51e1f14add5b32860c46be7
SHA256 141988b56d6cbb6b55890ac00d68e76dc916d8297a90a879d2330793006a1e2c
SHA512 22fbef44a749174e8d6ba4764a4cce3411e3ebaeb62558fa87939c643335fc997c6b28450e1cb198353337ba38649e420f05d7d43ce0611758050b640a4853e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 daf79d0071fdf4d20f47bb8d3f25d812
SHA1 671f285723c05d11106ad337f55d6c98bc01ef33
SHA256 b9c72b88ed38ab177adcf8c2b0bc5d45c825844fb496f92fe8d5953485425bbb
SHA512 f1ae34e6ada678b9bf6b33cd99e89ca24fe211a1087ed68a5f6306c76e93993ed9e3b919e2b6a1cfa2f1d88c25db74c485a4f2a9c3c5a83949f562bbde91b6b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57efee.TMP

MD5 50f63010c597197d5423ada9a50b03cb
SHA1 86b9272ad5e89407649aa19cc2a5fc9e3c488bfc
SHA256 9f15d103cf7c845a699b955c656883b9238d48572c907d1e8d62ee4647616ba7
SHA512 f27c2316e90707cf8bb381029cc18b7d92a017fe8133f631e86a8d551803223313c3a5a09cb4223040af366e4d50f70bfb2b8e80624dd77f7c0a6a77426bd29e

C:\Users\Admin\PCAppStore\nwjs\locales\bg.pak.info

MD5 82d7ab0ff6c34db264fd6778818f42b1
SHA1 eb508bd01721ba67f7daad55ba8e7acdb0a096eb
SHA256 e84331e84cd61d8bdacc574d5186fb259c00467513aa3f2090406330f68a45db
SHA512 176458b03cc2b2d3711965cd277531e002ae55d284b6c9178d2353e268f882430235468e5a1e9e45c8427864d109cf30a024a993b4763a75fa2744f6e0a6ae2a

C:\Users\Admin\AppData\Local\Temp\nsnCC4B.tmp\Math.dll

MD5 85428cf1f140e5023f4c9d179b704702
SHA1 1b51213ddbaedfffb7e7f098f172f1d4e5c9efba
SHA256 8d9a23dd2004b68c0d2e64e6c6ad330d0c648bffe2b9f619a1e9760ef978207a
SHA512 dfe7f9f3030485caf30ec631424120030c3985df778993342a371bf1724fa84aa885b4e466c6f6b356d99cc24e564b9c702c7bcdd33052172e0794c2fdecce59

C:\Users\Admin\PCAppStore\PcAppStore.exe

MD5 102313158837da34ece7fbe599a0eec5
SHA1 2adcc876a15f67b0dfaa41f8a79022d474dc7644
SHA256 03cf9ba286ccef3b827acd4715bf0c9ef720833a50a9539d093098849a8f8179
SHA512 965d8fd3239ab3e8d574eb2063c8d9037bfa6c996550cdf05046338f19dceb23edf2fafffcf377fbfda39477d848baa92a856cf821d542504bf7e206592a7b0a

C:\Users\Admin\PCAppStore\Watchdog.exe

MD5 3141e8e75fe71e17b1337cb97b37ab03
SHA1 97196ef68387dbdd483809d0a24d0df4794144fd
SHA256 c810aef32f3c49f16ad2f1b187c47a069bb686af1428f5d1800bf2b60c1fd1a3
SHA512 e9a0734335816e4f7d77ab77d4c5ad9b2fc5f7d726e96fe0dfa1ac46f20993062e974e19025705e06c501576b2fa1f16d4998f75ce8a5ed6a7631f17c1e7ce2a

C:\Users\Admin\PCAppStore\Temp\tempPOSTResponse

MD5 3024a54e0c352abe5eb5f753ca4828da
SHA1 df0206851654405c8e5c2d3bc96fb536b8c2dcbf
SHA256 3cd0a703506c7394d6115d9ff721516560894358aef07459f30d8930df6c3b61
SHA512 d9d44051df56b29aa596ee38463b781dbe27f917f7dae1b2420122616da108520429dda58c75c7e6b2d41093f83c5a4bae96024885af3956f23a3ce5bd3f9358

C:\Users\Admin\PCAppStore\Temp\tempPOSTData

MD5 a5ff33a1489ce35218d8c4936e02e8d7
SHA1 c4509a399969212f4562843fd85221e194bd4ed6
SHA256 126b5f727c391d99045d085cb561f665034cf6d4f72fc807773566ebdcae6f73
SHA512 5904c33820283e39ab4159988fe49700c011ff4201ba7904f25c2f937a71d811aa08f30f133985ea957dc269b9bfff5af16ba6398c66f7b60cd33d167db76c67

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe

MD5 e472e46bdfd736351d4b086b4c4ca134
SHA1 1aa886f0cb23b3d322a43be797d411fca84d82a7
SHA256 e825a252b5c5c9c2de8a6a6ade12a7f9cd0040f6a20e6ee44ba659034e6d5223
SHA512 173f5a7abdfea01c9c21ec716cba14eec4539da45e5734b3fd1e0688e1c22e4718bd701c25c8040d20cf48867e2a67ef2aba46380bab9ab1f7a42bd66fd33afb

C:\Users\Admin\PCAppStore\nwjs\nw_elf.dll

MD5 364f839ca8de4d942270d9097d48ef15
SHA1 82c8040dc2a733eb3ea3e051513c84f992bb17f1
SHA256 a4e521c12fe47816f2d9e2dfed9fd074e370ec587d0a0f3a03b5aebb76c06560
SHA512 baf1ed5e558dc0ae037fe0dff036792cfbd338915c8af99d10f0202b92ca820298657a86a0f3e8c1387326fda34de3ee08649c34af2417159a24aed9ced02df3

C:\Users\Admin\PCAppStore\nwjs\ffmpeg.dll

MD5 5fff6f0423a38bfaf174cb670650f4f9
SHA1 13ecd1c4784a5a178a998e9fc0dc08f556121712
SHA256 d4e6fc4e1bc6cb5b3ef7010e61d3a65e97804fb20346cee657688339075b2727
SHA512 e6ff0ea9f6196470f6e094d0ab655fb527c28fc2b2a5d126a10c1f4185c0dff5ed4f19e7ed717d67df324562b7aa56ed87aa0bd396a6ba722d3141b9f30fc41b

C:\Users\Admin\PCAppStore\ui\package.json

MD5 ba0268049bd46633f0423f58b70a6766
SHA1 b5ace19636832d4c9f4234a041a2399d10b1688c
SHA256 dc5928240fa75562c9de99e07584bb878b5f1697f6fa7876dddbc53409cd22ce
SHA512 e6e8e0d889c54ff57141e4c7515d9ffc8b1f9951ab65754d805150a67e1bd43d3894277792416ea76d36525ef2301af088a47e552b1a954e9b3afc9274407ec7

C:\Users\Admin\PCAppStore\nwjs\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\PCAppStore\nwjs\resources.pak

MD5 0f1d45867b591d67b0301ee8c4ad5f7b
SHA1 f5fb6378c13912df079efee44476fc1b4666ef24
SHA256 a2434429fea5b3344426e388f9a2191e10449103e933ef7f0cdbf4638f22380d
SHA512 1db79c82e67547a76d3d479168ee12899e7e03d8c065239976e0a490804182290b76829e483e8f18f7feafe7e819d2784c507d7abcdab917b62d78696059ee80

C:\Users\Admin\PCAppStore\nwjs\locales\en-US.pak

MD5 4b6300c27e7575c32888c1f3364d5346
SHA1 c5f5e1d3524acc96fb4e18c08b02f54abf83c3d4
SHA256 0945c89b16d4feba346e85e14792b772dcc6278f7dca7fb099a6100c93e79740
SHA512 3f21b6f4a3e18755b355ce5f20384d549b3f723104a67c67ae521d2c4544aa3095fada8855a0cc1a10e7c5bf3e8f55d061ab2dcec210f76101a61d9484d4ee6f

C:\Users\Admin\PCAppStore\nwjs\nw_200_percent.pak

MD5 f666b710da2bed9ac0252c1fa1d00c4a
SHA1 0d8288fde82c2f3b7bd006fcf4cb92246aefaf6d
SHA256 f1ab589cfd40fb17a7c390b45ffad8fcf90c133fff1d14ca5bfc7053a21dc241
SHA512 982bb5ea2c14170d47e150dc8692ebe316ec5d6b584377020c1f58ae0632748cb631182a6bfad2f909ef6b818b012527367a36d8681b5b56dc735b8ccaf7b52f

C:\Users\Admin\PCAppStore\nwjs\nw_100_percent.pak

MD5 9b46f4c8dfc0a55bfafac55f17d7659b
SHA1 d25f27df176aadb67bc56a42262bccafd14af4f4
SHA256 b637ae345b830649b4027f39f6ee48f92484a2acb65de498e4fdd84ec1010336
SHA512 de5f500afe381a16e3ff7ddcb5c8aa538362e55222f7915276bb4c9261e41cbc2403ca1663a7dbf0706d8d51abc420e26804f67cfd646d7986130a20a659f345

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Extension Rules\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Extension Rules\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\4bfb90c9-3ff7-44b0-9473-1e12f59790c1.tmp

MD5 728fe78292f104659fea5fc90570cc75
SHA1 11b623f76f31ec773b79cdb74869acb08c4052cb
SHA256 d98e226bea7a9c56bfdfab3c484a8e6a0fb173519c43216d3a1115415b166d20
SHA512 91e81b91b29d613fdde24b010b1724be74f3bae1d2fb4faa2c015178248ed6a0405e2b222f4a557a6b895663c159f0bf0dc6d64d21259299e36f53d95d7067aa

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Web Applications\_nwjs_pcapp.store\pc_app_store.ico.md5

MD5 03e9f614a008075733c76883156b568b
SHA1 5f9cb1b06928487c4b836e9dedc688e8a9650b0b
SHA256 b1a6a6fb45ad1e13054c40dc7c09e3098ee830bcf1ebaec27f640ae4c64b8416
SHA512 7e6969c8908a6bf57bd2cb4457a7c78360468383acee589278e49829617e2f3b872dd8213e57a2ed8f512d444c67a2e619deabdc1394d1c39c7759ed3c744f94

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Local State

MD5 a01a0c3c7fbf56094491996f1f82489a
SHA1 0ccf6c5974c267c650b507beb18867d96dad33d3
SHA256 347a6d210074a21b0d4045f033b94b845bef52e07e75ee37caef4b4ff71a9805
SHA512 db138147df993d608419c1afede11ea09744564d578509edbe971e1955ff9cfa301b7852e78d109601e6d34a30eae2b667ff4ecc1a0f4943bfe8bc1240108c7b

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Local State~RFe582a57.TMP

MD5 5e185db840c02293fb0f4f9728eb84fc
SHA1 a05121ec8120276ba7ee2cefbe777f37693b6ff7
SHA256 721e6e921e2d7019bd5cb55f3548f97b6f9ea4ef3cc6aa53c96666cfb364710d
SHA512 55da2a6f922feac11211dcaee4bd0c06b32dfee8abc338402ae2774515578890c696889c9131e6356213fe0c1fac631b63a0628bf1df938bcbb54cd224af0202

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 32d13e1b0f3814862011ebbddfb9427d
SHA1 b4fd730fa21a7a613fa271389b5a27c5e2cb1182
SHA256 432ed3b5fd39eccef2f1c480d1c5d3d95e40715d018897ce3aea4bda5b74a4c5
SHA512 2ba20fecb8f369e500d0d61143554e09e975eea4d8f58b0c68a2ecdba10374d374608394c3c6ad28d7f42741d9375bc0c16163020acf43b9f14efbc4833ca586

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Preferences

MD5 ed5622eb7018d61aaf1c22a878b97c57
SHA1 38f2f4d53261a7867f321fab3140304ebc7cc615
SHA256 88697d5b13f480a3661cf3fa6933bf12de5ad95e60e621520a258d77e4831a49
SHA512 4f9c9ddf8832f997d48b47843c8b733954ea4929c9671fdddad340556016cef4439b384cb81436940411bec734193a9d4f8f05abf1c6a4dcd6953fa0af707642

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Preferences~RFe5854d2.TMP

MD5 a7db2f60e7214e67901d474c14543ade
SHA1 7472b523be3884f90669cec898d4deb6df235586
SHA256 89e3eb2f96be2ff3c53ec590a9ee325f8801d9b44f4d852575677ccc49e44c67
SHA512 880b1053f1516a3cc665a4fd25605d1bb96c67b583fb0a7b0222c1c3184148eb8d4535f6a2084d87bf51a82e9280ea0f4bf750370f28bd69c9f01c852b8f36b7

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 310589dc5b36f6fa7f1aaa35cc2683c3
SHA1 4d2119737f0ec817ca298983772507b4be25f8e5
SHA256 b41c0cdfad5345611578dca699d5e98c1120c5d231d9c48ddeab30a4b818434d
SHA512 2b41dba44326c8ab8e88758900c1e542c242121a67b422fdc0694ff7b9e09afc52b68e4fad2a020d17f9f7c52e2fa1158567558b474d5ced68a26e43d68621cc

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 152de0374e46e2d9da09267080fc2d41
SHA1 634d1180ee1532124ba515d0ec5f7569becdd67c
SHA256 39f284ead1ce9134a1a47a3f8644ac23e7f88ae77f6c20a8ae27ba3700f027b2
SHA512 667dcb8f15313fedd0d72602fd807c4583d71d0ada27536dd9dbc296bf8987c9defabe063026e0daf6d632ec12a3181f93fd42b2ffc720c1e518d98ab9de0ed0

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Preferences

MD5 9603b46d0dd55a5a1c91296df2bd0406
SHA1 ca976157be8cd43c01c24c5aa2a73a831dd94c88
SHA256 82acdd9c70c48f0f96f1cda7b6588b97608cb5eb1c35644984a9aa874e038f39
SHA512 d53b2b3e814327a3abe3799458090f74ee79b66f7c62a4d175f1bf50ad43fcf382168289c8abf1100a1ce87632a3c84076f2ef16bb5f92b6cf9d4c366ac9f514

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Preferences

MD5 36e33bf72858d25c6925b81209899d3f
SHA1 141fc2cdb800557a3a139bef84502393f2931169
SHA256 0dc35b987ce6a590db68147547ad2165e6b55dd8d7b97944d86b8833edfd00d3
SHA512 818e82a41f56f4ea023fd8673d657b6f921b624558980ef0efe1dfca27a4752107af9161fc087346ce60ef062b3224ec2227e6e10166cfa157d474549d6c4d15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f6f6716d6b40d8b330d2fe70bfd967f6
SHA1 b3d2e3e23a71c86db05800ce49e9c9d91b21f67b
SHA256 99bc94e4be31e93da8a5f0ee5d6af649d39a65e1281c4cd235dca89fe251f212
SHA512 c3675c7d9d524f1d3f4108c9c8321f37521ef1c7336f14e004c78f7d442a6dc6b6940818e65fcfe11f399010eb4d971573174b788f794baec265f5a1c9f82abc

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Preferences

MD5 5e688d59c5304b1b4e41210e3b22f6cc
SHA1 b1faab8ce84aaa89effd1c4a274de9fe7bf51a3f
SHA256 8199b2046c773506b359416c9a57e3d1aee870edc5d412f552056e605ef88b0f
SHA512 3b901bac96f5ddf7bf6d43f132f7dc2b9fd2ec085814a589476b870a63519acafaee9e819553ca57d85ee68f154644cabc2d6af229a55add9b9da39b6d747b48

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Preferences

MD5 9cd14cb096c3b856ebb38c152cfce520
SHA1 60658367e3730ae818c5e712537dc2ea647a6481
SHA256 f72767d3a441b2fefb07582c9e6975e5edae923a35ad0a70d26a12ef2dcb7cbd
SHA512 9c2f7e40a4f1103a5bcfa2c1aeb69a8595f0dd20c9f3d9e66876ba647eb1a5923a0bcfb4374f6c1b2df81f55b374961df9731ed4dd1570f3522d382a8d0b03e2

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Network\Network Persistent State~RFe59190c.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Network\Network Persistent State

MD5 389ff6660708a3973e4772bcb0897b49
SHA1 fcf502e38a23d38feeed55d60df7b6667294dd60
SHA256 82580d3f10d1f8e0ce3c088bb2bfbed5286a5513a87cc72ae4d687dc4bdd1fa2
SHA512 af41f641a60c4506d20194d5c7c04aa80df6d58de1217e336b6345eb5c7a2670e18a3dc542b9dc0d9f14cda8a8342df90e6a3283b1494d262342079623f91c47

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\170d9bc8-9047-40ba-91c1-3d1546a5ed72.tmp

MD5 5a7ac155fd6a0d50ecb3dd043373a721
SHA1 32bcf98d3822a9bfab1c1d6144042e4b2a5167dc
SHA256 ce892f017aed051a1069baff2b54c4538be077b99b04d4428b93284b5a69c0cf
SHA512 d5690cc97d222d4eed02d49b706826e6069be0aedfe28f99daea5e1d26a45bb64cd1821dfeba243ed272d8a0c04275fa19c34b251ce80ca80d061e9a55495a91

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Network\TransportSecurity~RFe592939.TMP

MD5 a8cce07fd713985eed56be8506e21bea
SHA1 09dff2fbea2608688e6c4a5c0c9385fc0f47898e
SHA256 e9f1bb309ea7421dae012689245593746309fa237dba072d260083c9598ce694
SHA512 272df5f9245ab08746d430778f46e26139c45fc3da4924a2c909ce21626a7c0d93c8b01dfc9da7c4d5123d2d33e1dbeedf5fc1a6ba2b3c36534dc7c9b8d3b034

C:\Users\Admin\AppData\Local\pc_app_store\User Data\Default\Network\TransportSecurity

MD5 acadeec8e29571623fed260c84b827dc
SHA1 ceedc3f98a83ebecc515b8059bad0feca9352485
SHA256 32a23902fbb27e7ab21f35c066c53095614b8e4acd13ef39abd009667b312b88
SHA512 2b2c54092d74ebe24ca49e8fab7a073bb3b25d56ee977fe054c8f2693995acefef47dc8ea7abd411c1b09635b0aa9a790aed5ec25ad38b6dd033055534ed1898

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win7-20240903-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISFastLib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISFastLib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISFastLib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win10v2004-20241007-en

Max time kernel

103s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISFastLib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4620 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4620 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISFastLib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISFastLib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win7-20240708-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 228

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-27 15:35

Reported

2024-10-27 15:37

Platform

win10v2004-20241007-en

Max time kernel

102s

Max time network

109s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3372 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3372 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2488 -ip 2488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A