Malware Analysis Report

2025-08-10 15:25

Sample ID 241103-fpz25sylhk
Target Geometry Dash 2.11 Funcional by Davoxt.zip
SHA256 c2d75b3ef16d7c865a6b7dee6464a94cd3bcd27dbf595abf238fa7a86fd3f08e
Tags
discovery execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c2d75b3ef16d7c865a6b7dee6464a94cd3bcd27dbf595abf238fa7a86fd3f08e

Threat Level: Shows suspicious behavior

The file Geometry Dash 2.11 Funcional by Davoxt.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery execution

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Checks installed software on the system

Checks system information in the registry

Unsigned PE

Program crash

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 05:05

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20241023-en

Max time kernel

119s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 252

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

167s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\IGG-GAMES.COM.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\IGG-GAMES.COM.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe"

\??\c:\f1a80ecaa29c45fc8ce0\Setup.exe

c:\f1a80ecaa29c45fc8ce0\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 sqm.microsoft.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\f1a80ecaa29c45fc8ce0\Setup.exe

MD5 2af2c1a78542975b12282aca4300d515
SHA1 3216c853ed82e41dfbeb6ca48855fdcd41478507
SHA256 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7
SHA512 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb

\??\c:\f1a80ecaa29c45fc8ce0\SetupEngine.dll

MD5 63e7901d4fa7ac7766076720272060d0
SHA1 72dec0e4e12255d98ccd49937923c7b5590bbfac
SHA256 a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952
SHA512 de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0

C:\f1a80ecaa29c45fc8ce0\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\f1a80ecaa29c45fc8ce0\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFIABC2.tmp.html

MD5 928b890fbe154e9991185b2be97f3d14
SHA1 2aa26948f090131d1ff13c2b1c51f2f22f402f8b
SHA256 d5e9bace0272213d1f64295aed00ef3399faa7d11e7e10d4e15417a8e17af8c3
SHA512 ce4b966200ced44e3f2702b55936f10a6ffce1ef220d222f1b0ce917ea54f92a75169ad734913ef69a592b7617a4885943b23c54f6f18a45473805e8833112a8

\??\c:\f1a80ecaa29c45fc8ce0\UiInfo.xml

MD5 4f90fcef3836f5fc49426ad9938a1c60
SHA1 89eba3b81982d5d5c457ffa7a7096284a10de64a
SHA256 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b
SHA512 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160

\??\c:\f1a80ecaa29c45fc8ce0\ParameterInfo.xml

MD5 5674d0bc3f4cdf572b9263332b2942c7
SHA1 495c5ba176fe6a6cbd4c0d9b85c2d886de1be968
SHA256 cbe5b9a27b1dde70a9040790eaff798e6534ff1ec2b4702cc4be7221d18d2182
SHA512 22d35950ee4291e42107a8b2d1fd1f305dcde9306480549b639f5c504247cfb73ba287f20e3e5232b3c35294176b0b3dbdc03c948561e90db0f22635efce7685

\??\c:\f1a80ecaa29c45fc8ce0\1033\LocalizedData.xml

MD5 5486ff60b072102ee3231fd743b290a1
SHA1 d8d8a1d6bf6adf1095158b3c9b0a296a037632d0
SHA256 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706
SHA512 ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

\??\c:\f1a80ecaa29c45fc8ce0\1028\LocalizedData.xml

MD5 12df3535e4c4ef95a8cb03fd509b5874
SHA1 90b1f87ba02c1c89c159ebf0e1e700892b85dc39
SHA256 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119
SHA512 c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

\??\c:\f1a80ecaa29c45fc8ce0\1031\LocalizedData.xml

MD5 b13ff959adc5c3e9c4ba4c4a76244464
SHA1 4df793626f41b92a5bc7c54757658ce30fdaeeb1
SHA256 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b
SHA512 de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

\??\c:\f1a80ecaa29c45fc8ce0\1036\LocalizedData.xml

MD5 30dd04ce53b3f5d9363ade0359e3e0b2
SHA1 56bc3301013a2d0b08ecd38ff0a22b1040ef558e
SHA256 bf03073e0e939f3598aeb9aa19b655a24c4ad31f96065d6dc60f7c4df78653ba
SHA512 9cb1ff9ba0dc018f9e1bd301fbcb9e5c561f6a14c65290ebc0fe67cbdf59d1a09898a2f802c52339c10942c819ebb4bdd8b4c7f5f4f78af95f7c893641e41a34

\??\c:\f1a80ecaa29c45fc8ce0\1040\LocalizedData.xml

MD5 fe6b23186c2d77f7612bf7b1018a9b2a
SHA1 1528ec7633e998f040d2d4c37ac8a7dc87f99817
SHA256 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a
SHA512 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

\??\c:\f1a80ecaa29c45fc8ce0\1041\LocalizedData.xml

MD5 6f86b79dbf15e810331df2ca77f1043a
SHA1 875ed8498c21f396cc96b638911c23858ece5b88
SHA256 f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f
SHA512 ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

\??\c:\f1a80ecaa29c45fc8ce0\1042\LocalizedData.xml

MD5 e87ad0b3bf73f3e76500f28e195f7dc0
SHA1 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc
SHA256 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070
SHA512 d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

\??\c:\f1a80ecaa29c45fc8ce0\1049\LocalizedData.xml

MD5 1290be72ed991a3a800a6b2a124073b2
SHA1 dac09f9f2ccb3b273893b653f822e3dfc556d498
SHA256 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c
SHA512 c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

\??\c:\f1a80ecaa29c45fc8ce0\2052\LocalizedData.xml

MD5 150b5c3d1b452dccbe8f1313fda1b18c
SHA1 7128b6b9e84d69c415808f1d325dd969b17914cc
SHA256 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2
SHA512 a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

\??\c:\f1a80ecaa29c45fc8ce0\3082\LocalizedData.xml

MD5 05a95593c61c744759e52caf5e13502e
SHA1 0054833d8a7a395a832e4c188c4d012301dd4090
SHA256 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1
SHA512 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

\??\c:\f1a80ecaa29c45fc8ce0\SetupUi.dll

MD5 0d214ced87bf0b55883359160a68dacb
SHA1 a60526505d56d447c6bbde03da980db67062c4c6
SHA256 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713
SHA512 d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5

\??\c:\f1a80ecaa29c45fc8ce0\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\f1a80ecaa29c45fc8ce0\1033\SetupResources.dll

MD5 0b4e76baf52d580f657f91972196cd91
SHA1 e6ac8f80ab8ade18ac7e834ac6d0536bb483988c
SHA256 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4
SHA512 ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87

\??\c:\f1a80ecaa29c45fc8ce0\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\??\c:\f1a80ecaa29c45fc8ce0\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\f1a80ecaa29c45fc8ce0\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\f1a80ecaa29c45fc8ce0\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\f1a80ecaa29c45fc8ce0\header.bmp

MD5 3ad1a8c3b96993bcdf45244be2c00eef
SHA1 308f98e199f74a43d325115a8e7072d5f2c6202d
SHA256 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a
SHA512 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658

\??\c:\f1a80ecaa29c45fc8ce0\watermark.bmp

MD5 1a5caafacfc8c7766e404d019249cf67
SHA1 35d4878db63059a0f25899f4be00b41f430389bf
SHA256 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2
SHA512 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46

memory/2516-107-0x0000000002E00000-0x0000000002E01000-memory.dmp

\??\c:\f1a80ecaa29c45fc8ce0\graphics\SysReqMet.ico

MD5 661cbd315e9b23ba1ca19edab978f478
SHA1 605685c25d486c89f872296583e1dc2f20465a2b
SHA256 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d
SHA512 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6

\??\c:\f1a80ecaa29c45fc8ce0\graphics\SysReqNotMet.ico

MD5 ee2c05cc9d14c29f586d40eb90c610a9
SHA1 e571d82e81bd61b8fe4c9ecd08869a07918ac00b
SHA256 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73
SHA512 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb

\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate1.ico

MD5 26a00597735c5f504cf8b3e7e9a7a4c1
SHA1 d913cb26128d5ca1e1ac3dab782de363c9b89934
SHA256 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af
SHA512 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf

\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate2.ico

MD5 8419caa81f2377e09b7f2f6218e505ae
SHA1 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9
SHA256 db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22
SHA512 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1

\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate3.ico

MD5 924fd539523541d42dad43290e6c0db5
SHA1 19a161531a2c9dbc443b0f41b97cbde7375b8983
SHA256 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6
SHA512 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b

\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate4.ico

MD5 bb55b5086a9da3097fb216c065d15709
SHA1 1206c708bd08231961f17da3d604a8956addccfe
SHA256 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab
SHA512 de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9

\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate5.ico

MD5 3b4861f93b465d724c60670b64fccfcf
SHA1 c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0
SHA256 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75
SHA512 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c

\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate6.ico

MD5 70006bf18a39d258012875aefb92a3d1
SHA1 b47788f3f8c5c305982eb1d0e91c675ee02c7beb
SHA256 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4
SHA512 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c

\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate8.ico

MD5 d1c53003264dce4effaf462c807e2d96
SHA1 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9
SHA256 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c
SHA512 c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd

\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate7.ico

MD5 fb4dfebe83f554faf1a5cec033a804d9
SHA1 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333
SHA256 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f
SHA512 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404

\??\c:\f1a80ecaa29c45fc8ce0\vc_red.cab

MD5 c2b6838431748d42e247c574a191b2c2
SHA1 f01c1a083c158d9470da3919b461938560e90874
SHA256 387e94a26165e4e5f035d89f9c6589a8a9d223978abbcc728b4c45c0115267a6
SHA512 5cf95c3cbe10a75360bc4d02840e196c919bcd2fd42ba86192d25d781d00e8019217a9c8829f51a2924d8c95bd48e06728a3530e3344000cac79c4b0e7faff91

\??\c:\f1a80ecaa29c45fc8ce0\vc_red.msi

MD5 8f21bc0dc9e66f8e9d94197ae76698b3
SHA1 b48a08fde80f739657b819b94602f861f3ff57a4
SHA256 5763364634bdb2097b6df6cde79ac5cce6069acecf27254c589e3cabffe53c2b
SHA512 88fd8870bc0f5dbdd2cb4a6a97cf4b1ab81d7ff77c2b2a4d1f6b34a730d0347a5022ecc8ca5b2e7c5f7c2cbe0486d5046cfafcb8167e001e1ac5e1797d03278a

\??\c:\f1a80ecaa29c45fc8ce0\msp_kb2565063.msp

MD5 905fcc526204ddf1e6650212abc3d848
SHA1 aded77f45b75d796cc4795263c826c822df5f0d9
SHA256 4cd45cf57644d49b4c8f96e4a0efdc46a5ba196fa4f5a10190f790ccc74bb1bf
SHA512 9470fcd540ea542936120782aa31abecaf5d20cadd13ff82ad346f78f95020958937beb2bfcf5ea4de92c978338f5a324e334229c79f8166c66a1465e191ba47

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

160s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4608 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4608 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2640 -ip 2640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240903-en

Max time kernel

120s

Max time network

133s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240729-en

Max time kernel

121s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 220

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240708-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20241010-en

Max time kernel

118s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe"

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe

c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sqm.microsoft.com udp

Files

\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe

MD5 2af2c1a78542975b12282aca4300d515
SHA1 3216c853ed82e41dfbeb6ca48855fdcd41478507
SHA256 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7
SHA512 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\SetupEngine.dll

MD5 63e7901d4fa7ac7766076720272060d0
SHA1 72dec0e4e12255d98ccd49937923c7b5590bbfac
SHA256 a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952
SHA512 de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFID8F2.tmp.html

MD5 891dbcfbbc24a6a753595a668b26131d
SHA1 cdc62d126a9e829ce4fab2141f0a872db2302df1
SHA256 01a26c4198cf5e96a0bf4d0563552260ca42c90bc347dadba44d1469e3f9e4d9
SHA512 410fb5b413501b7c8b555fd6f4fc27781319124cc196260ef0e2db0e24c4142740347ddd187172a077dd10ef981dfc97c61b7e598f58e6dd87c9ffd8273e3843

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\UiInfo.xml

MD5 4f90fcef3836f5fc49426ad9938a1c60
SHA1 89eba3b81982d5d5c457ffa7a7096284a10de64a
SHA256 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b
SHA512 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\ParameterInfo.xml

MD5 13f8768c289476fdd103ff689d73cd2d
SHA1 ddebcecc02c6b1b996423d62d0def8760f031f58
SHA256 4eae293ca91b31aaa206e5a1c655714f0fe84e39f9331cb759d2236cdb915523
SHA512 c72998f30ebff8f4a757248639cf0351d03f5502be475b4cb8f02b09ad800dbbe2f9a82c7d9bde6d7bd748e0ee6e61b86e369192773fe726421a564e793a0139

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\SetupUi.dll

MD5 0d214ced87bf0b55883359160a68dacb
SHA1 a60526505d56d447c6bbde03da980db67062c4c6
SHA256 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713
SHA512 d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1033\SetupResources.dll

MD5 0b4e76baf52d580f657f91972196cd91
SHA1 e6ac8f80ab8ade18ac7e834ac6d0536bb483988c
SHA256 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4
SHA512 ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\watermark.bmp

MD5 1a5caafacfc8c7766e404d019249cf67
SHA1 35d4878db63059a0f25899f4be00b41f430389bf
SHA256 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2
SHA512 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\header.bmp

MD5 3ad1a8c3b96993bcdf45244be2c00eef
SHA1 308f98e199f74a43d325115a8e7072d5f2c6202d
SHA256 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a
SHA512 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

memory/2840-108-0x00000000001F0000-0x00000000001F1000-memory.dmp

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\SysReqMet.ico

MD5 661cbd315e9b23ba1ca19edab978f478
SHA1 605685c25d486c89f872296583e1dc2f20465a2b
SHA256 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d
SHA512 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\SysReqNotMet.ico

MD5 ee2c05cc9d14c29f586d40eb90c610a9
SHA1 e571d82e81bd61b8fe4c9ecd08869a07918ac00b
SHA256 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73
SHA512 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate1.ico

MD5 26a00597735c5f504cf8b3e7e9a7a4c1
SHA1 d913cb26128d5ca1e1ac3dab782de363c9b89934
SHA256 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af
SHA512 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate2.ico

MD5 8419caa81f2377e09b7f2f6218e505ae
SHA1 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9
SHA256 db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22
SHA512 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate3.ico

MD5 924fd539523541d42dad43290e6c0db5
SHA1 19a161531a2c9dbc443b0f41b97cbde7375b8983
SHA256 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6
SHA512 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate6.ico

MD5 70006bf18a39d258012875aefb92a3d1
SHA1 b47788f3f8c5c305982eb1d0e91c675ee02c7beb
SHA256 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4
SHA512 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate8.ico

MD5 d1c53003264dce4effaf462c807e2d96
SHA1 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9
SHA256 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c
SHA512 c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate7.ico

MD5 fb4dfebe83f554faf1a5cec033a804d9
SHA1 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333
SHA256 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f
SHA512 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate5.ico

MD5 3b4861f93b465d724c60670b64fccfcf
SHA1 c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0
SHA256 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75
SHA512 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate4.ico

MD5 bb55b5086a9da3097fb216c065d15709
SHA1 1206c708bd08231961f17da3d604a8956addccfe
SHA256 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab
SHA512 de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\vc_red.cab

MD5 c580a38f1a1a7d838076a1b897c37011
SHA1 c689488077d1c21820797707078af826ea676b70
SHA256 71c0acc75eecdf39051819dc7c26503583f6be6c43ab2c320853de15bece9978
SHA512 ea3a62bd312f1ddeebe5e3c7911eb3a73bc3ee184abb7e9b55bc962214f50bbf05d2499caf151d0bd00735e2021fbea9584bf3e868a1d4502b75ec3b62c7ff56

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\vc_red.msi

MD5 3ff9acea77afc124be8454269bb7143f
SHA1 8dd6ecab8576245cd6c8617c24e019325a3b2bdc
SHA256 9ecf3980b29c6aa20067f9f45c64b45ad310a3d83606cd9667895ad35f106e66
SHA512 8d51f692747cfdd59fc839918a34d2b6cbbb510c90dea83ba936b3f5f39ee4cbd48f6bb7e35ed9e0945bf724d682812532191d91c8f3c2adb6ff80a8df89ff7a

\??\c:\0eb4c97e97b8b7c6d87e886f63770a\msp_kb2565063.msp

MD5 9843dc93ea948cddc1f480e53bb80c2f
SHA1 d6ec9db8b8802ec85dd0b793565401b67ad8e5e0
SHA256 7c969fcda6ef09d2eb7bbbc8d81795eb60c9c69ed835fd16538369ad0a6e0f10
SHA512 79008cfdd8ae1ea27675588e7ba8123d08ce14047e5f167b3b5f6fbcdadeb45515bd72e18e59abf632ecbfbb42243fbcbebe4cbe0ed6ba195d0b2ca6d88676f9

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe"

Signatures

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe"

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe" -burn.unelevated BurnPipe.{F8123394-8775-4A69-877A-C2F963508186} {6BE685EF-7D2A-4D3F-99F8-07A386531E92} 1468

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

161s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 740 -ip 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240729-en

Max time kernel

13s

Max time network

21s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GAMESTORRENT.CO.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GAMESTORRENT.CO.url"

Network

N/A

Files

memory/2500-0-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/2500-1-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240903-en

Max time kernel

121s

Max time network

135s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\Resources\xStep.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\Resources\xStep.ps1"

Network

N/A

Files

memory/2172-4-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

memory/2172-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2172-6-0x00000000026A0000-0x00000000026A8000-memory.dmp

memory/2172-7-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2172-8-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2172-9-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2172-10-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2172-11-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2172-12-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A
Token: SeBackupPrivilege N/A \??\c:\c29ed38b13685ba88fc590\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe"

\??\c:\c29ed38b13685ba88fc590\Setup.exe

c:\c29ed38b13685ba88fc590\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 sqm.microsoft.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\c29ed38b13685ba88fc590\Setup.exe

MD5 2af2c1a78542975b12282aca4300d515
SHA1 3216c853ed82e41dfbeb6ca48855fdcd41478507
SHA256 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7
SHA512 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb

C:\c29ed38b13685ba88fc590\SetupEngine.dll

MD5 63e7901d4fa7ac7766076720272060d0
SHA1 72dec0e4e12255d98ccd49937923c7b5590bbfac
SHA256 a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952
SHA512 de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0

C:\c29ed38b13685ba88fc590\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\c29ed38b13685ba88fc590\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\Setup_20241103_050805532.html

MD5 41c110b272c969db8d799b53fb737c08
SHA1 e671d8657f0f7d6e6dba3303cfa3b7084e81a668
SHA256 57aa4c8aa7c23f8a0a2af2eee28930f27a8ae53a48ed6052fbc5f9199b26880e
SHA512 1470dc7fcb31ba396d916a1f04e322085c36716f79e00b8f799e642271b09cd283226ce2b15bdb922698ca57952364693faa53f5d4ff52b93d7c1e58f7c965d2

\??\c:\c29ed38b13685ba88fc590\UiInfo.xml

MD5 4f90fcef3836f5fc49426ad9938a1c60
SHA1 89eba3b81982d5d5c457ffa7a7096284a10de64a
SHA256 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b
SHA512 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160

\??\c:\c29ed38b13685ba88fc590\ParameterInfo.xml

MD5 13f8768c289476fdd103ff689d73cd2d
SHA1 ddebcecc02c6b1b996423d62d0def8760f031f58
SHA256 4eae293ca91b31aaa206e5a1c655714f0fe84e39f9331cb759d2236cdb915523
SHA512 c72998f30ebff8f4a757248639cf0351d03f5502be475b4cb8f02b09ad800dbbe2f9a82c7d9bde6d7bd748e0ee6e61b86e369192773fe726421a564e793a0139

\??\c:\c29ed38b13685ba88fc590\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

\??\c:\c29ed38b13685ba88fc590\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

\??\c:\c29ed38b13685ba88fc590\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\c29ed38b13685ba88fc590\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\c29ed38b13685ba88fc590\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\c29ed38b13685ba88fc590\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\c29ed38b13685ba88fc590\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\??\c:\c29ed38b13685ba88fc590\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\c29ed38b13685ba88fc590\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\c29ed38b13685ba88fc590\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\c29ed38b13685ba88fc590\SetupUi.dll

MD5 0d214ced87bf0b55883359160a68dacb
SHA1 a60526505d56d447c6bbde03da980db67062c4c6
SHA256 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713
SHA512 d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5

\??\c:\c29ed38b13685ba88fc590\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\c29ed38b13685ba88fc590\1033\SetupResources.dll

MD5 0b4e76baf52d580f657f91972196cd91
SHA1 e6ac8f80ab8ade18ac7e834ac6d0536bb483988c
SHA256 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4
SHA512 ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87

\??\c:\c29ed38b13685ba88fc590\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\??\c:\c29ed38b13685ba88fc590\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\c29ed38b13685ba88fc590\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\c29ed38b13685ba88fc590\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\c29ed38b13685ba88fc590\header.bmp

MD5 3ad1a8c3b96993bcdf45244be2c00eef
SHA1 308f98e199f74a43d325115a8e7072d5f2c6202d
SHA256 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a
SHA512 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658

\??\c:\c29ed38b13685ba88fc590\watermark.bmp

MD5 1a5caafacfc8c7766e404d019249cf67
SHA1 35d4878db63059a0f25899f4be00b41f430389bf
SHA256 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2
SHA512 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46

memory/688-107-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

\??\c:\c29ed38b13685ba88fc590\graphics\SysReqMet.ico

MD5 661cbd315e9b23ba1ca19edab978f478
SHA1 605685c25d486c89f872296583e1dc2f20465a2b
SHA256 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d
SHA512 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6

\??\c:\c29ed38b13685ba88fc590\graphics\SysReqNotMet.ico

MD5 ee2c05cc9d14c29f586d40eb90c610a9
SHA1 e571d82e81bd61b8fe4c9ecd08869a07918ac00b
SHA256 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73
SHA512 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb

\??\c:\c29ed38b13685ba88fc590\graphics\Rotate1.ico

MD5 26a00597735c5f504cf8b3e7e9a7a4c1
SHA1 d913cb26128d5ca1e1ac3dab782de363c9b89934
SHA256 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af
SHA512 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf

\??\c:\c29ed38b13685ba88fc590\graphics\Rotate6.ico

MD5 70006bf18a39d258012875aefb92a3d1
SHA1 b47788f3f8c5c305982eb1d0e91c675ee02c7beb
SHA256 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4
SHA512 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c

\??\c:\c29ed38b13685ba88fc590\graphics\Rotate7.ico

MD5 fb4dfebe83f554faf1a5cec033a804d9
SHA1 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333
SHA256 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f
SHA512 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404

\??\c:\c29ed38b13685ba88fc590\graphics\Rotate5.ico

MD5 3b4861f93b465d724c60670b64fccfcf
SHA1 c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0
SHA256 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75
SHA512 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c

\??\c:\c29ed38b13685ba88fc590\graphics\Rotate4.ico

MD5 bb55b5086a9da3097fb216c065d15709
SHA1 1206c708bd08231961f17da3d604a8956addccfe
SHA256 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab
SHA512 de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9

\??\c:\c29ed38b13685ba88fc590\graphics\Rotate3.ico

MD5 924fd539523541d42dad43290e6c0db5
SHA1 19a161531a2c9dbc443b0f41b97cbde7375b8983
SHA256 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6
SHA512 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b

\??\c:\c29ed38b13685ba88fc590\graphics\Rotate2.ico

MD5 8419caa81f2377e09b7f2f6218e505ae
SHA1 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9
SHA256 db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22
SHA512 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1

\??\c:\c29ed38b13685ba88fc590\graphics\Rotate8.ico

MD5 d1c53003264dce4effaf462c807e2d96
SHA1 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9
SHA256 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c
SHA512 c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd

\??\c:\c29ed38b13685ba88fc590\vc_red.cab

MD5 c580a38f1a1a7d838076a1b897c37011
SHA1 c689488077d1c21820797707078af826ea676b70
SHA256 71c0acc75eecdf39051819dc7c26503583f6be6c43ab2c320853de15bece9978
SHA512 ea3a62bd312f1ddeebe5e3c7911eb3a73bc3ee184abb7e9b55bc962214f50bbf05d2499caf151d0bd00735e2021fbea9584bf3e868a1d4502b75ec3b62c7ff56

\??\c:\c29ed38b13685ba88fc590\vc_red.msi

MD5 3ff9acea77afc124be8454269bb7143f
SHA1 8dd6ecab8576245cd6c8617c24e019325a3b2bdc
SHA256 9ecf3980b29c6aa20067f9f45c64b45ad310a3d83606cd9667895ad35f106e66
SHA512 8d51f692747cfdd59fc839918a34d2b6cbbb510c90dea83ba936b3f5f39ee4cbd48f6bb7e35ed9e0945bf724d682812532191d91c8f3c2adb6ff80a8df89ff7a

\??\c:\c29ed38b13685ba88fc590\msp_kb2565063.msp

MD5 9843dc93ea948cddc1f480e53bb80c2f
SHA1 d6ec9db8b8802ec85dd0b793565401b67ad8e5e0
SHA256 7c969fcda6ef09d2eb7bbbc8d81795eb60c9c69ed835fd16538369ad0a6e0f10
SHA512 79008cfdd8ae1ea27675588e7ba8123d08ce14047e5f167b3b5f6fbcdadeb45515bd72e18e59abf632ecbfbb42243fbcbebe4cbe0ed6ba195d0b2ca6d88676f9

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20241010-en

Max time kernel

121s

Max time network

146s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 240

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240903-en

Max time kernel

121s

Max time network

133s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 260

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

163s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2944 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2944 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

169s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1032 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1032 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe"

Signatures

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
PID 2796 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
PID 2796 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
PID 2796 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
PID 2796 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
PID 2796 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
PID 2796 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe"

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe" -burn.unelevated BurnPipe.{06BB7053-4417-4FD1-AF7A-94E4FF69FC2F} {16007753-B2C1-4418-96C1-397EC9AB5F9D} 2796

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

129s

Max time network

158s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

158s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\Resources\xStep.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\Resources\xStep.ps1"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x444 0x4e8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2876-0-0x00007FFE0FBE3000-0x00007FFE0FBE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjuitgss.t0r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2876-10-0x0000016F7F810000-0x0000016F7F832000-memory.dmp

memory/2876-11-0x00007FFE0FBE0000-0x00007FFE106A1000-memory.dmp

memory/2876-12-0x00007FFE0FBE0000-0x00007FFE106A1000-memory.dmp

memory/2876-13-0x00007FFE0FBE0000-0x00007FFE106A1000-memory.dmp

memory/2876-16-0x00007FFE0FBE0000-0x00007FFE106A1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:09

Platform

win7-20240903-en

Max time kernel

118s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe"

\??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe

c:\4e11e994011483e76b906b9bc4e019\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sqm.microsoft.com udp

Files

\4e11e994011483e76b906b9bc4e019\Setup.exe

MD5 2af2c1a78542975b12282aca4300d515
SHA1 3216c853ed82e41dfbeb6ca48855fdcd41478507
SHA256 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7
SHA512 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb

\??\c:\4e11e994011483e76b906b9bc4e019\SetupEngine.dll

MD5 63e7901d4fa7ac7766076720272060d0
SHA1 72dec0e4e12255d98ccd49937923c7b5590bbfac
SHA256 a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952
SHA512 de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0

\??\c:\4e11e994011483e76b906b9bc4e019\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\4e11e994011483e76b906b9bc4e019\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\Setup_20241103_050715879.html

MD5 18c47f8ce936bef9a5dba2c9ef8638ae
SHA1 e27a633f62f67a5be62f5aff03a853d8354fe07a
SHA256 dd3dcae8406917d3827b8dbe9ed1feae7337b77aef516c77ca717c825009c46e
SHA512 bb0fa08cdb74be7476779ea41241bfbeb888725b91940adb3dfe09052635e561b40d08717e2ceaac687b78aa42fd39b1bf8572d802a0b051df70dba8ef980518

\??\c:\4e11e994011483e76b906b9bc4e019\UiInfo.xml

MD5 4f90fcef3836f5fc49426ad9938a1c60
SHA1 89eba3b81982d5d5c457ffa7a7096284a10de64a
SHA256 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b
SHA512 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160

\??\c:\4e11e994011483e76b906b9bc4e019\ParameterInfo.xml

MD5 5674d0bc3f4cdf572b9263332b2942c7
SHA1 495c5ba176fe6a6cbd4c0d9b85c2d886de1be968
SHA256 cbe5b9a27b1dde70a9040790eaff798e6534ff1ec2b4702cc4be7221d18d2182
SHA512 22d35950ee4291e42107a8b2d1fd1f305dcde9306480549b639f5c504247cfb73ba287f20e3e5232b3c35294176b0b3dbdc03c948561e90db0f22635efce7685

\??\c:\4e11e994011483e76b906b9bc4e019\1033\LocalizedData.xml

MD5 5486ff60b072102ee3231fd743b290a1
SHA1 d8d8a1d6bf6adf1095158b3c9b0a296a037632d0
SHA256 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706
SHA512 ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

\??\c:\4e11e994011483e76b906b9bc4e019\1028\LocalizedData.xml

MD5 12df3535e4c4ef95a8cb03fd509b5874
SHA1 90b1f87ba02c1c89c159ebf0e1e700892b85dc39
SHA256 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119
SHA512 c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

\??\c:\4e11e994011483e76b906b9bc4e019\1031\LocalizedData.xml

MD5 b13ff959adc5c3e9c4ba4c4a76244464
SHA1 4df793626f41b92a5bc7c54757658ce30fdaeeb1
SHA256 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b
SHA512 de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

\??\c:\4e11e994011483e76b906b9bc4e019\1036\LocalizedData.xml

MD5 30dd04ce53b3f5d9363ade0359e3e0b2
SHA1 56bc3301013a2d0b08ecd38ff0a22b1040ef558e
SHA256 bf03073e0e939f3598aeb9aa19b655a24c4ad31f96065d6dc60f7c4df78653ba
SHA512 9cb1ff9ba0dc018f9e1bd301fbcb9e5c561f6a14c65290ebc0fe67cbdf59d1a09898a2f802c52339c10942c819ebb4bdd8b4c7f5f4f78af95f7c893641e41a34

\??\c:\4e11e994011483e76b906b9bc4e019\1042\LocalizedData.xml

MD5 e87ad0b3bf73f3e76500f28e195f7dc0
SHA1 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc
SHA256 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070
SHA512 d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

\??\c:\4e11e994011483e76b906b9bc4e019\1041\LocalizedData.xml

MD5 6f86b79dbf15e810331df2ca77f1043a
SHA1 875ed8498c21f396cc96b638911c23858ece5b88
SHA256 f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f
SHA512 ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

\??\c:\4e11e994011483e76b906b9bc4e019\1040\LocalizedData.xml

MD5 fe6b23186c2d77f7612bf7b1018a9b2a
SHA1 1528ec7633e998f040d2d4c37ac8a7dc87f99817
SHA256 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a
SHA512 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

\??\c:\4e11e994011483e76b906b9bc4e019\1049\LocalizedData.xml

MD5 1290be72ed991a3a800a6b2a124073b2
SHA1 dac09f9f2ccb3b273893b653f822e3dfc556d498
SHA256 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c
SHA512 c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

\??\c:\4e11e994011483e76b906b9bc4e019\3082\LocalizedData.xml

MD5 05a95593c61c744759e52caf5e13502e
SHA1 0054833d8a7a395a832e4c188c4d012301dd4090
SHA256 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1
SHA512 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

\??\c:\4e11e994011483e76b906b9bc4e019\2052\LocalizedData.xml

MD5 150b5c3d1b452dccbe8f1313fda1b18c
SHA1 7128b6b9e84d69c415808f1d325dd969b17914cc
SHA256 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2
SHA512 a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

\??\c:\4e11e994011483e76b906b9bc4e019\SetupUi.dll

MD5 0d214ced87bf0b55883359160a68dacb
SHA1 a60526505d56d447c6bbde03da980db67062c4c6
SHA256 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713
SHA512 d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5

\??\c:\4e11e994011483e76b906b9bc4e019\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\4e11e994011483e76b906b9bc4e019\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\4e11e994011483e76b906b9bc4e019\1033\SetupResources.dll

MD5 0b4e76baf52d580f657f91972196cd91
SHA1 e6ac8f80ab8ade18ac7e834ac6d0536bb483988c
SHA256 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4
SHA512 ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87

\??\c:\4e11e994011483e76b906b9bc4e019\header.bmp

MD5 3ad1a8c3b96993bcdf45244be2c00eef
SHA1 308f98e199f74a43d325115a8e7072d5f2c6202d
SHA256 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a
SHA512 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\4e11e994011483e76b906b9bc4e019\watermark.bmp

MD5 1a5caafacfc8c7766e404d019249cf67
SHA1 35d4878db63059a0f25899f4be00b41f430389bf
SHA256 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2
SHA512 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46

memory/2996-108-0x0000000000170000-0x0000000000171000-memory.dmp

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\SysReqMet.ico

MD5 661cbd315e9b23ba1ca19edab978f478
SHA1 605685c25d486c89f872296583e1dc2f20465a2b
SHA256 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d
SHA512 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\SysReqNotMet.ico

MD5 ee2c05cc9d14c29f586d40eb90c610a9
SHA1 e571d82e81bd61b8fe4c9ecd08869a07918ac00b
SHA256 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73
SHA512 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate1.ico

MD5 26a00597735c5f504cf8b3e7e9a7a4c1
SHA1 d913cb26128d5ca1e1ac3dab782de363c9b89934
SHA256 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af
SHA512 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate2.ico

MD5 8419caa81f2377e09b7f2f6218e505ae
SHA1 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9
SHA256 db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22
SHA512 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate4.ico

MD5 bb55b5086a9da3097fb216c065d15709
SHA1 1206c708bd08231961f17da3d604a8956addccfe
SHA256 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab
SHA512 de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate3.ico

MD5 924fd539523541d42dad43290e6c0db5
SHA1 19a161531a2c9dbc443b0f41b97cbde7375b8983
SHA256 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6
SHA512 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate5.ico

MD5 3b4861f93b465d724c60670b64fccfcf
SHA1 c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0
SHA256 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75
SHA512 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate6.ico

MD5 70006bf18a39d258012875aefb92a3d1
SHA1 b47788f3f8c5c305982eb1d0e91c675ee02c7beb
SHA256 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4
SHA512 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate7.ico

MD5 fb4dfebe83f554faf1a5cec033a804d9
SHA1 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333
SHA256 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f
SHA512 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404

\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate8.ico

MD5 d1c53003264dce4effaf462c807e2d96
SHA1 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9
SHA256 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c
SHA512 c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd

\??\c:\4e11e994011483e76b906b9bc4e019\vc_red.cab

MD5 c2b6838431748d42e247c574a191b2c2
SHA1 f01c1a083c158d9470da3919b461938560e90874
SHA256 387e94a26165e4e5f035d89f9c6589a8a9d223978abbcc728b4c45c0115267a6
SHA512 5cf95c3cbe10a75360bc4d02840e196c919bcd2fd42ba86192d25d781d00e8019217a9c8829f51a2924d8c95bd48e06728a3530e3344000cac79c4b0e7faff91

\??\c:\4e11e994011483e76b906b9bc4e019\vc_red.msi

MD5 8f21bc0dc9e66f8e9d94197ae76698b3
SHA1 b48a08fde80f739657b819b94602f861f3ff57a4
SHA256 5763364634bdb2097b6df6cde79ac5cce6069acecf27254c589e3cabffe53c2b
SHA512 88fd8870bc0f5dbdd2cb4a6a97cf4b1ab81d7ff77c2b2a4d1f6b34a730d0347a5022ecc8ca5b2e7c5f7c2cbe0486d5046cfafcb8167e001e1ac5e1797d03278a

\??\c:\4e11e994011483e76b906b9bc4e019\msp_kb2565063.msp

MD5 905fcc526204ddf1e6650212abc3d848
SHA1 aded77f45b75d796cc4795263c826c822df5f0d9
SHA256 4cd45cf57644d49b4c8f96e4a0efdc46a5ba196fa4f5a10190f790ccc74bb1bf
SHA512 9470fcd540ea542936120782aa31abecaf5d20cadd13ff82ad346f78f95020958937beb2bfcf5ea4de92c978338f5a324e334229c79f8166c66a1465e191ba47

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240708-en

Max time kernel

121s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe"

Signatures

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
PID 2212 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
PID 2212 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
PID 2212 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
PID 2212 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
PID 2212 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
PID 2212 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe"

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe" -burn.unelevated BurnPipe.{FEEE4763-EA21-4AAB-8E68-F99E8F0B8B77} {4272A91B-382B-42F9-957F-BC5E5BF47C13} 2212

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240903-en

Max time kernel

118s

Max time network

129s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 244

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

172s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

129s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 228

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20240903-en

Max time kernel

122s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 340

Network

N/A

Files

memory/2688-0-0x0000000074270000-0x0000000074321000-memory.dmp

memory/2688-3-0x0000000074270000-0x0000000074321000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1040

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/3020-0-0x0000000074EE0000-0x0000000074F91000-memory.dmp

memory/3020-3-0x0000000074EE0000-0x0000000074F91000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win7-20241010-en

Max time kernel

13s

Max time network

24s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\IGG-GAMES.COM.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\IGG-GAMES.COM.url"

Network

N/A

Files

memory/2792-0-0x0000000000200000-0x0000000000201000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

161s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1924 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1924 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

162s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 4112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3940 wrote to memory of 4112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3940 wrote to memory of 4112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4112 -ip 4112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

162s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GAMESTORRENT.CO.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GAMESTORRENT.CO.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-03 05:03

Reported

2024-11-03 05:10

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe"

Signatures

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe"

C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe" -burn.unelevated BurnPipe.{B681A8BC-3F72-45A6-AB9A-45C0AA778913} {4C796837-D8F0-4E03-A51A-0C4D546CEE4D} 1072

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b