Analysis Overview
SHA256
c2d75b3ef16d7c865a6b7dee6464a94cd3bcd27dbf595abf238fa7a86fd3f08e
Threat Level: Shows suspicious behavior
The file Geometry Dash 2.11 Funcional by Davoxt.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Checks installed software on the system
Checks system information in the registry
Unsigned PE
Program crash
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 05:05
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20241023-en
Max time kernel
119s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 252
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
167s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\IGG-GAMES.COM.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
160s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| N/A | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1668 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe |
| PID 1668 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe |
| PID 1668 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe | \??\c:\f1a80ecaa29c45fc8ce0\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe"
\??\c:\f1a80ecaa29c45fc8ce0\Setup.exe
c:\f1a80ecaa29c45fc8ce0\Setup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sqm.microsoft.com | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\f1a80ecaa29c45fc8ce0\Setup.exe
| MD5 | 2af2c1a78542975b12282aca4300d515 |
| SHA1 | 3216c853ed82e41dfbeb6ca48855fdcd41478507 |
| SHA256 | 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7 |
| SHA512 | 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb |
\??\c:\f1a80ecaa29c45fc8ce0\SetupEngine.dll
| MD5 | 63e7901d4fa7ac7766076720272060d0 |
| SHA1 | 72dec0e4e12255d98ccd49937923c7b5590bbfac |
| SHA256 | a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952 |
| SHA512 | de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0 |
C:\f1a80ecaa29c45fc8ce0\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\f1a80ecaa29c45fc8ce0\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFIABC2.tmp.html
| MD5 | 928b890fbe154e9991185b2be97f3d14 |
| SHA1 | 2aa26948f090131d1ff13c2b1c51f2f22f402f8b |
| SHA256 | d5e9bace0272213d1f64295aed00ef3399faa7d11e7e10d4e15417a8e17af8c3 |
| SHA512 | ce4b966200ced44e3f2702b55936f10a6ffce1ef220d222f1b0ce917ea54f92a75169ad734913ef69a592b7617a4885943b23c54f6f18a45473805e8833112a8 |
\??\c:\f1a80ecaa29c45fc8ce0\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\f1a80ecaa29c45fc8ce0\ParameterInfo.xml
| MD5 | 5674d0bc3f4cdf572b9263332b2942c7 |
| SHA1 | 495c5ba176fe6a6cbd4c0d9b85c2d886de1be968 |
| SHA256 | cbe5b9a27b1dde70a9040790eaff798e6534ff1ec2b4702cc4be7221d18d2182 |
| SHA512 | 22d35950ee4291e42107a8b2d1fd1f305dcde9306480549b639f5c504247cfb73ba287f20e3e5232b3c35294176b0b3dbdc03c948561e90db0f22635efce7685 |
\??\c:\f1a80ecaa29c45fc8ce0\1033\LocalizedData.xml
| MD5 | 5486ff60b072102ee3231fd743b290a1 |
| SHA1 | d8d8a1d6bf6adf1095158b3c9b0a296a037632d0 |
| SHA256 | 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706 |
| SHA512 | ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472 |
\??\c:\f1a80ecaa29c45fc8ce0\1028\LocalizedData.xml
| MD5 | 12df3535e4c4ef95a8cb03fd509b5874 |
| SHA1 | 90b1f87ba02c1c89c159ebf0e1e700892b85dc39 |
| SHA256 | 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119 |
| SHA512 | c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808 |
\??\c:\f1a80ecaa29c45fc8ce0\1031\LocalizedData.xml
| MD5 | b13ff959adc5c3e9c4ba4c4a76244464 |
| SHA1 | 4df793626f41b92a5bc7c54757658ce30fdaeeb1 |
| SHA256 | 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b |
| SHA512 | de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6 |
\??\c:\f1a80ecaa29c45fc8ce0\1036\LocalizedData.xml
| MD5 | 30dd04ce53b3f5d9363ade0359e3e0b2 |
| SHA1 | 56bc3301013a2d0b08ecd38ff0a22b1040ef558e |
| SHA256 | bf03073e0e939f3598aeb9aa19b655a24c4ad31f96065d6dc60f7c4df78653ba |
| SHA512 | 9cb1ff9ba0dc018f9e1bd301fbcb9e5c561f6a14c65290ebc0fe67cbdf59d1a09898a2f802c52339c10942c819ebb4bdd8b4c7f5f4f78af95f7c893641e41a34 |
\??\c:\f1a80ecaa29c45fc8ce0\1040\LocalizedData.xml
| MD5 | fe6b23186c2d77f7612bf7b1018a9b2a |
| SHA1 | 1528ec7633e998f040d2d4c37ac8a7dc87f99817 |
| SHA256 | 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a |
| SHA512 | 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649 |
\??\c:\f1a80ecaa29c45fc8ce0\1041\LocalizedData.xml
| MD5 | 6f86b79dbf15e810331df2ca77f1043a |
| SHA1 | 875ed8498c21f396cc96b638911c23858ece5b88 |
| SHA256 | f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f |
| SHA512 | ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818 |
\??\c:\f1a80ecaa29c45fc8ce0\1042\LocalizedData.xml
| MD5 | e87ad0b3bf73f3e76500f28e195f7dc0 |
| SHA1 | 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc |
| SHA256 | 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070 |
| SHA512 | d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c |
\??\c:\f1a80ecaa29c45fc8ce0\1049\LocalizedData.xml
| MD5 | 1290be72ed991a3a800a6b2a124073b2 |
| SHA1 | dac09f9f2ccb3b273893b653f822e3dfc556d498 |
| SHA256 | 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c |
| SHA512 | c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217 |
\??\c:\f1a80ecaa29c45fc8ce0\2052\LocalizedData.xml
| MD5 | 150b5c3d1b452dccbe8f1313fda1b18c |
| SHA1 | 7128b6b9e84d69c415808f1d325dd969b17914cc |
| SHA256 | 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2 |
| SHA512 | a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949 |
\??\c:\f1a80ecaa29c45fc8ce0\3082\LocalizedData.xml
| MD5 | 05a95593c61c744759e52caf5e13502e |
| SHA1 | 0054833d8a7a395a832e4c188c4d012301dd4090 |
| SHA256 | 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1 |
| SHA512 | 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3 |
\??\c:\f1a80ecaa29c45fc8ce0\SetupUi.dll
| MD5 | 0d214ced87bf0b55883359160a68dacb |
| SHA1 | a60526505d56d447c6bbde03da980db67062c4c6 |
| SHA256 | 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713 |
| SHA512 | d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5 |
\??\c:\f1a80ecaa29c45fc8ce0\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\f1a80ecaa29c45fc8ce0\1033\SetupResources.dll
| MD5 | 0b4e76baf52d580f657f91972196cd91 |
| SHA1 | e6ac8f80ab8ade18ac7e834ac6d0536bb483988c |
| SHA256 | 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4 |
| SHA512 | ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87 |
\??\c:\f1a80ecaa29c45fc8ce0\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\f1a80ecaa29c45fc8ce0\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\f1a80ecaa29c45fc8ce0\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
memory/2516-107-0x0000000002E00000-0x0000000002E01000-memory.dmp
\??\c:\f1a80ecaa29c45fc8ce0\graphics\SysReqMet.ico
| MD5 | 661cbd315e9b23ba1ca19edab978f478 |
| SHA1 | 605685c25d486c89f872296583e1dc2f20465a2b |
| SHA256 | 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d |
| SHA512 | 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6 |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\SysReqNotMet.ico
| MD5 | ee2c05cc9d14c29f586d40eb90c610a9 |
| SHA1 | e571d82e81bd61b8fe4c9ecd08869a07918ac00b |
| SHA256 | 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73 |
| SHA512 | 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate1.ico
| MD5 | 26a00597735c5f504cf8b3e7e9a7a4c1 |
| SHA1 | d913cb26128d5ca1e1ac3dab782de363c9b89934 |
| SHA256 | 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af |
| SHA512 | 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate2.ico
| MD5 | 8419caa81f2377e09b7f2f6218e505ae |
| SHA1 | 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9 |
| SHA256 | db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22 |
| SHA512 | 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1 |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate3.ico
| MD5 | 924fd539523541d42dad43290e6c0db5 |
| SHA1 | 19a161531a2c9dbc443b0f41b97cbde7375b8983 |
| SHA256 | 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6 |
| SHA512 | 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate4.ico
| MD5 | bb55b5086a9da3097fb216c065d15709 |
| SHA1 | 1206c708bd08231961f17da3d604a8956addccfe |
| SHA256 | 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab |
| SHA512 | de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9 |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate5.ico
| MD5 | 3b4861f93b465d724c60670b64fccfcf |
| SHA1 | c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0 |
| SHA256 | 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75 |
| SHA512 | 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate6.ico
| MD5 | 70006bf18a39d258012875aefb92a3d1 |
| SHA1 | b47788f3f8c5c305982eb1d0e91c675ee02c7beb |
| SHA256 | 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4 |
| SHA512 | 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate8.ico
| MD5 | d1c53003264dce4effaf462c807e2d96 |
| SHA1 | 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9 |
| SHA256 | 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c |
| SHA512 | c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd |
\??\c:\f1a80ecaa29c45fc8ce0\graphics\Rotate7.ico
| MD5 | fb4dfebe83f554faf1a5cec033a804d9 |
| SHA1 | 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333 |
| SHA256 | 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f |
| SHA512 | 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404 |
\??\c:\f1a80ecaa29c45fc8ce0\vc_red.cab
| MD5 | c2b6838431748d42e247c574a191b2c2 |
| SHA1 | f01c1a083c158d9470da3919b461938560e90874 |
| SHA256 | 387e94a26165e4e5f035d89f9c6589a8a9d223978abbcc728b4c45c0115267a6 |
| SHA512 | 5cf95c3cbe10a75360bc4d02840e196c919bcd2fd42ba86192d25d781d00e8019217a9c8829f51a2924d8c95bd48e06728a3530e3344000cac79c4b0e7faff91 |
\??\c:\f1a80ecaa29c45fc8ce0\vc_red.msi
| MD5 | 8f21bc0dc9e66f8e9d94197ae76698b3 |
| SHA1 | b48a08fde80f739657b819b94602f861f3ff57a4 |
| SHA256 | 5763364634bdb2097b6df6cde79ac5cce6069acecf27254c589e3cabffe53c2b |
| SHA512 | 88fd8870bc0f5dbdd2cb4a6a97cf4b1ab81d7ff77c2b2a4d1f6b34a730d0347a5022ecc8ca5b2e7c5f7c2cbe0486d5046cfafcb8167e001e1ac5e1797d03278a |
\??\c:\f1a80ecaa29c45fc8ce0\msp_kb2565063.msp
| MD5 | 905fcc526204ddf1e6650212abc3d848 |
| SHA1 | aded77f45b75d796cc4795263c826c822df5f0d9 |
| SHA256 | 4cd45cf57644d49b4c8f96e4a0efdc46a5ba196fa4f5a10190f790ccc74bb1bf |
| SHA512 | 9470fcd540ea542936120782aa31abecaf5d20cadd13ff82ad346f78f95020958937beb2bfcf5ea4de92c978338f5a324e334229c79f8166c66a1465e191ba47 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4608 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4608 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4608 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2640 -ip 2640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 672
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240903-en
Max time kernel
120s
Max time network
133s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2536 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2536 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2536 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2536 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2536 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2536 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2536 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240729-en
Max time kernel
121s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 220
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240708-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 224
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20241010-en
Max time kernel
118s
Max time network
131s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
| N/A | N/A | \??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe"
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe
c:\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sqm.microsoft.com | udp |
Files
\0eb4c97e97b8b7c6d87e886f63770a\Setup.exe
| MD5 | 2af2c1a78542975b12282aca4300d515 |
| SHA1 | 3216c853ed82e41dfbeb6ca48855fdcd41478507 |
| SHA256 | 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7 |
| SHA512 | 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\SetupEngine.dll
| MD5 | 63e7901d4fa7ac7766076720272060d0 |
| SHA1 | 72dec0e4e12255d98ccd49937923c7b5590bbfac |
| SHA256 | a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952 |
| SHA512 | de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFID8F2.tmp.html
| MD5 | 891dbcfbbc24a6a753595a668b26131d |
| SHA1 | cdc62d126a9e829ce4fab2141f0a872db2302df1 |
| SHA256 | 01a26c4198cf5e96a0bf4d0563552260ca42c90bc347dadba44d1469e3f9e4d9 |
| SHA512 | 410fb5b413501b7c8b555fd6f4fc27781319124cc196260ef0e2db0e24c4142740347ddd187172a077dd10ef981dfc97c61b7e598f58e6dd87c9ffd8273e3843 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\ParameterInfo.xml
| MD5 | 13f8768c289476fdd103ff689d73cd2d |
| SHA1 | ddebcecc02c6b1b996423d62d0def8760f031f58 |
| SHA256 | 4eae293ca91b31aaa206e5a1c655714f0fe84e39f9331cb759d2236cdb915523 |
| SHA512 | c72998f30ebff8f4a757248639cf0351d03f5502be475b4cb8f02b09ad800dbbe2f9a82c7d9bde6d7bd748e0ee6e61b86e369192773fe726421a564e793a0139 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\SetupUi.dll
| MD5 | 0d214ced87bf0b55883359160a68dacb |
| SHA1 | a60526505d56d447c6bbde03da980db67062c4c6 |
| SHA256 | 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713 |
| SHA512 | d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\1033\SetupResources.dll
| MD5 | 0b4e76baf52d580f657f91972196cd91 |
| SHA1 | e6ac8f80ab8ade18ac7e834ac6d0536bb483988c |
| SHA256 | 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4 |
| SHA512 | ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
memory/2840-108-0x00000000001F0000-0x00000000001F1000-memory.dmp
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\SysReqMet.ico
| MD5 | 661cbd315e9b23ba1ca19edab978f478 |
| SHA1 | 605685c25d486c89f872296583e1dc2f20465a2b |
| SHA256 | 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d |
| SHA512 | 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\SysReqNotMet.ico
| MD5 | ee2c05cc9d14c29f586d40eb90c610a9 |
| SHA1 | e571d82e81bd61b8fe4c9ecd08869a07918ac00b |
| SHA256 | 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73 |
| SHA512 | 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate1.ico
| MD5 | 26a00597735c5f504cf8b3e7e9a7a4c1 |
| SHA1 | d913cb26128d5ca1e1ac3dab782de363c9b89934 |
| SHA256 | 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af |
| SHA512 | 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate2.ico
| MD5 | 8419caa81f2377e09b7f2f6218e505ae |
| SHA1 | 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9 |
| SHA256 | db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22 |
| SHA512 | 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate3.ico
| MD5 | 924fd539523541d42dad43290e6c0db5 |
| SHA1 | 19a161531a2c9dbc443b0f41b97cbde7375b8983 |
| SHA256 | 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6 |
| SHA512 | 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate6.ico
| MD5 | 70006bf18a39d258012875aefb92a3d1 |
| SHA1 | b47788f3f8c5c305982eb1d0e91c675ee02c7beb |
| SHA256 | 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4 |
| SHA512 | 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate8.ico
| MD5 | d1c53003264dce4effaf462c807e2d96 |
| SHA1 | 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9 |
| SHA256 | 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c |
| SHA512 | c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate7.ico
| MD5 | fb4dfebe83f554faf1a5cec033a804d9 |
| SHA1 | 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333 |
| SHA256 | 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f |
| SHA512 | 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate5.ico
| MD5 | 3b4861f93b465d724c60670b64fccfcf |
| SHA1 | c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0 |
| SHA256 | 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75 |
| SHA512 | 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\graphics\Rotate4.ico
| MD5 | bb55b5086a9da3097fb216c065d15709 |
| SHA1 | 1206c708bd08231961f17da3d604a8956addccfe |
| SHA256 | 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab |
| SHA512 | de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\vc_red.cab
| MD5 | c580a38f1a1a7d838076a1b897c37011 |
| SHA1 | c689488077d1c21820797707078af826ea676b70 |
| SHA256 | 71c0acc75eecdf39051819dc7c26503583f6be6c43ab2c320853de15bece9978 |
| SHA512 | ea3a62bd312f1ddeebe5e3c7911eb3a73bc3ee184abb7e9b55bc962214f50bbf05d2499caf151d0bd00735e2021fbea9584bf3e868a1d4502b75ec3b62c7ff56 |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\vc_red.msi
| MD5 | 3ff9acea77afc124be8454269bb7143f |
| SHA1 | 8dd6ecab8576245cd6c8617c24e019325a3b2bdc |
| SHA256 | 9ecf3980b29c6aa20067f9f45c64b45ad310a3d83606cd9667895ad35f106e66 |
| SHA512 | 8d51f692747cfdd59fc839918a34d2b6cbbb510c90dea83ba936b3f5f39ee4cbd48f6bb7e35ed9e0945bf724d682812532191d91c8f3c2adb6ff80a8df89ff7a |
\??\c:\0eb4c97e97b8b7c6d87e886f63770a\msp_kb2565063.msp
| MD5 | 9843dc93ea948cddc1f480e53bb80c2f |
| SHA1 | d6ec9db8b8802ec85dd0b793565401b67ad8e5e0 |
| SHA256 | 7c969fcda6ef09d2eb7bbbc8d81795eb60c9c69ed835fd16538369ad0a6e0f10 |
| SHA512 | 79008cfdd8ae1ea27675588e7ba8123d08ce14047e5f167b3b5f6fbcdadeb45515bd72e18e59abf632ecbfbb42243fbcbebe4cbe0ed6ba195d0b2ca6d88676f9 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
163s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe"
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe" -burn.unelevated BurnPipe.{F8123394-8775-4A69-877A-C2F963508186} {6BE685EF-7D2A-4D3F-99F8-07A386531E92} 1468
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\wixstdba.dll
| MD5 | a52e5220efb60813b31a82d101a97dcb |
| SHA1 | 56e16e4df0944cb07e73a01301886644f062d79b |
| SHA256 | e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf |
| SHA512 | d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e |
C:\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
161s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3020 wrote to memory of 740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3020 wrote to memory of 740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3020 wrote to memory of 740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\msvcp100.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 740 -ip 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240729-en
Max time kernel
13s
Max time network
21s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GAMESTORRENT.CO.url"
Network
Files
memory/2500-0-0x0000000001FD0000-0x0000000001FD1000-memory.dmp
memory/2500-1-0x0000000001FD0000-0x0000000001FD1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240903-en
Max time kernel
121s
Max time network
135s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\Resources\xStep.ps1"
Network
Files
memory/2172-4-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp
memory/2172-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2172-6-0x00000000026A0000-0x00000000026A8000-memory.dmp
memory/2172-7-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/2172-8-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/2172-9-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/2172-10-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/2172-11-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/2172-12-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
161s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| N/A | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\c29ed38b13685ba88fc590\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 380 wrote to memory of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe | \??\c:\c29ed38b13685ba88fc590\Setup.exe |
| PID 380 wrote to memory of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe | \??\c:\c29ed38b13685ba88fc590\Setup.exe |
| PID 380 wrote to memory of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe | \??\c:\c29ed38b13685ba88fc590\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x86.exe"
\??\c:\c29ed38b13685ba88fc590\Setup.exe
c:\c29ed38b13685ba88fc590\Setup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sqm.microsoft.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\c29ed38b13685ba88fc590\Setup.exe
| MD5 | 2af2c1a78542975b12282aca4300d515 |
| SHA1 | 3216c853ed82e41dfbeb6ca48855fdcd41478507 |
| SHA256 | 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7 |
| SHA512 | 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb |
C:\c29ed38b13685ba88fc590\SetupEngine.dll
| MD5 | 63e7901d4fa7ac7766076720272060d0 |
| SHA1 | 72dec0e4e12255d98ccd49937923c7b5590bbfac |
| SHA256 | a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952 |
| SHA512 | de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0 |
C:\c29ed38b13685ba88fc590\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\c29ed38b13685ba88fc590\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\Setup_20241103_050805532.html
| MD5 | 41c110b272c969db8d799b53fb737c08 |
| SHA1 | e671d8657f0f7d6e6dba3303cfa3b7084e81a668 |
| SHA256 | 57aa4c8aa7c23f8a0a2af2eee28930f27a8ae53a48ed6052fbc5f9199b26880e |
| SHA512 | 1470dc7fcb31ba396d916a1f04e322085c36716f79e00b8f799e642271b09cd283226ce2b15bdb922698ca57952364693faa53f5d4ff52b93d7c1e58f7c965d2 |
\??\c:\c29ed38b13685ba88fc590\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\c29ed38b13685ba88fc590\ParameterInfo.xml
| MD5 | 13f8768c289476fdd103ff689d73cd2d |
| SHA1 | ddebcecc02c6b1b996423d62d0def8760f031f58 |
| SHA256 | 4eae293ca91b31aaa206e5a1c655714f0fe84e39f9331cb759d2236cdb915523 |
| SHA512 | c72998f30ebff8f4a757248639cf0351d03f5502be475b4cb8f02b09ad800dbbe2f9a82c7d9bde6d7bd748e0ee6e61b86e369192773fe726421a564e793a0139 |
\??\c:\c29ed38b13685ba88fc590\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\??\c:\c29ed38b13685ba88fc590\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\c29ed38b13685ba88fc590\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\c29ed38b13685ba88fc590\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\c29ed38b13685ba88fc590\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\c29ed38b13685ba88fc590\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\c29ed38b13685ba88fc590\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\c29ed38b13685ba88fc590\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\c29ed38b13685ba88fc590\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\c29ed38b13685ba88fc590\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\c29ed38b13685ba88fc590\SetupUi.dll
| MD5 | 0d214ced87bf0b55883359160a68dacb |
| SHA1 | a60526505d56d447c6bbde03da980db67062c4c6 |
| SHA256 | 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713 |
| SHA512 | d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5 |
\??\c:\c29ed38b13685ba88fc590\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\c29ed38b13685ba88fc590\1033\SetupResources.dll
| MD5 | 0b4e76baf52d580f657f91972196cd91 |
| SHA1 | e6ac8f80ab8ade18ac7e834ac6d0536bb483988c |
| SHA256 | 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4 |
| SHA512 | ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87 |
\??\c:\c29ed38b13685ba88fc590\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\c29ed38b13685ba88fc590\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\c29ed38b13685ba88fc590\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\c29ed38b13685ba88fc590\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\c29ed38b13685ba88fc590\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\c29ed38b13685ba88fc590\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
memory/688-107-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
\??\c:\c29ed38b13685ba88fc590\graphics\SysReqMet.ico
| MD5 | 661cbd315e9b23ba1ca19edab978f478 |
| SHA1 | 605685c25d486c89f872296583e1dc2f20465a2b |
| SHA256 | 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d |
| SHA512 | 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6 |
\??\c:\c29ed38b13685ba88fc590\graphics\SysReqNotMet.ico
| MD5 | ee2c05cc9d14c29f586d40eb90c610a9 |
| SHA1 | e571d82e81bd61b8fe4c9ecd08869a07918ac00b |
| SHA256 | 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73 |
| SHA512 | 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb |
\??\c:\c29ed38b13685ba88fc590\graphics\Rotate1.ico
| MD5 | 26a00597735c5f504cf8b3e7e9a7a4c1 |
| SHA1 | d913cb26128d5ca1e1ac3dab782de363c9b89934 |
| SHA256 | 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af |
| SHA512 | 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf |
\??\c:\c29ed38b13685ba88fc590\graphics\Rotate6.ico
| MD5 | 70006bf18a39d258012875aefb92a3d1 |
| SHA1 | b47788f3f8c5c305982eb1d0e91c675ee02c7beb |
| SHA256 | 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4 |
| SHA512 | 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c |
\??\c:\c29ed38b13685ba88fc590\graphics\Rotate7.ico
| MD5 | fb4dfebe83f554faf1a5cec033a804d9 |
| SHA1 | 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333 |
| SHA256 | 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f |
| SHA512 | 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404 |
\??\c:\c29ed38b13685ba88fc590\graphics\Rotate5.ico
| MD5 | 3b4861f93b465d724c60670b64fccfcf |
| SHA1 | c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0 |
| SHA256 | 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75 |
| SHA512 | 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c |
\??\c:\c29ed38b13685ba88fc590\graphics\Rotate4.ico
| MD5 | bb55b5086a9da3097fb216c065d15709 |
| SHA1 | 1206c708bd08231961f17da3d604a8956addccfe |
| SHA256 | 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab |
| SHA512 | de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9 |
\??\c:\c29ed38b13685ba88fc590\graphics\Rotate3.ico
| MD5 | 924fd539523541d42dad43290e6c0db5 |
| SHA1 | 19a161531a2c9dbc443b0f41b97cbde7375b8983 |
| SHA256 | 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6 |
| SHA512 | 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b |
\??\c:\c29ed38b13685ba88fc590\graphics\Rotate2.ico
| MD5 | 8419caa81f2377e09b7f2f6218e505ae |
| SHA1 | 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9 |
| SHA256 | db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22 |
| SHA512 | 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1 |
\??\c:\c29ed38b13685ba88fc590\graphics\Rotate8.ico
| MD5 | d1c53003264dce4effaf462c807e2d96 |
| SHA1 | 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9 |
| SHA256 | 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c |
| SHA512 | c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd |
\??\c:\c29ed38b13685ba88fc590\vc_red.cab
| MD5 | c580a38f1a1a7d838076a1b897c37011 |
| SHA1 | c689488077d1c21820797707078af826ea676b70 |
| SHA256 | 71c0acc75eecdf39051819dc7c26503583f6be6c43ab2c320853de15bece9978 |
| SHA512 | ea3a62bd312f1ddeebe5e3c7911eb3a73bc3ee184abb7e9b55bc962214f50bbf05d2499caf151d0bd00735e2021fbea9584bf3e868a1d4502b75ec3b62c7ff56 |
\??\c:\c29ed38b13685ba88fc590\vc_red.msi
| MD5 | 3ff9acea77afc124be8454269bb7143f |
| SHA1 | 8dd6ecab8576245cd6c8617c24e019325a3b2bdc |
| SHA256 | 9ecf3980b29c6aa20067f9f45c64b45ad310a3d83606cd9667895ad35f106e66 |
| SHA512 | 8d51f692747cfdd59fc839918a34d2b6cbbb510c90dea83ba936b3f5f39ee4cbd48f6bb7e35ed9e0945bf724d682812532191d91c8f3c2adb6ff80a8df89ff7a |
\??\c:\c29ed38b13685ba88fc590\msp_kb2565063.msp
| MD5 | 9843dc93ea948cddc1f480e53bb80c2f |
| SHA1 | d6ec9db8b8802ec85dd0b793565401b67ad8e5e0 |
| SHA256 | 7c969fcda6ef09d2eb7bbbc8d81795eb60c9c69ed835fd16538369ad0a6e0f10 |
| SHA512 | 79008cfdd8ae1ea27675588e7ba8123d08ce14047e5f167b3b5f6fbcdadeb45515bd72e18e59abf632ecbfbb42243fbcbebe4cbe0ed6ba195d0b2ca6d88676f9 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20241010-en
Max time kernel
121s
Max time network
146s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\fmod.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 240
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240903-en
Max time kernel
121s
Max time network
133s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 260
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
163s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2944 wrote to memory of 1904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2944 wrote to memory of 1904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2944 wrote to memory of 1904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcocos2d.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1904 -ip 1904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
169s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1032 wrote to memory of 2020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1032 wrote to memory of 2020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1032 wrote to memory of 2020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240903-en
Max time kernel
119s
Max time network
130s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe"
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe" -burn.unelevated BurnPipe.{06BB7053-4417-4FD1-AF7A-94E4FF69FC2F} {16007753-B2C1-4418-96C1-397EC9AB5F9D} 2796
Network
Files
\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll
| MD5 | a52e5220efb60813b31a82d101a97dcb |
| SHA1 | 56e16e4df0944cb07e73a01301886644f062d79b |
| SHA256 | e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf |
| SHA512 | d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e |
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
129s
Max time network
158s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2516 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libtiff.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
158s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\Resources\xStep.ps1"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x444 0x4e8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2876-0-0x00007FFE0FBE3000-0x00007FFE0FBE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjuitgss.t0r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2876-10-0x0000016F7F810000-0x0000016F7F832000-memory.dmp
memory/2876-11-0x00007FFE0FBE0000-0x00007FFE106A1000-memory.dmp
memory/2876-12-0x00007FFE0FBE0000-0x00007FFE106A1000-memory.dmp
memory/2876-13-0x00007FFE0FBE0000-0x00007FFE106A1000-memory.dmp
memory/2876-16-0x00007FFE0FBE0000-0x00007FFE106A1000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:09
Platform
win7-20240903-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
| N/A | N/A | \??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2010\vcredist_x64.exe"
\??\c:\4e11e994011483e76b906b9bc4e019\Setup.exe
c:\4e11e994011483e76b906b9bc4e019\Setup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sqm.microsoft.com | udp |
Files
\4e11e994011483e76b906b9bc4e019\Setup.exe
| MD5 | 2af2c1a78542975b12282aca4300d515 |
| SHA1 | 3216c853ed82e41dfbeb6ca48855fdcd41478507 |
| SHA256 | 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7 |
| SHA512 | 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb |
\??\c:\4e11e994011483e76b906b9bc4e019\SetupEngine.dll
| MD5 | 63e7901d4fa7ac7766076720272060d0 |
| SHA1 | 72dec0e4e12255d98ccd49937923c7b5590bbfac |
| SHA256 | a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952 |
| SHA512 | de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0 |
\??\c:\4e11e994011483e76b906b9bc4e019\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\4e11e994011483e76b906b9bc4e019\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\Setup_20241103_050715879.html
| MD5 | 18c47f8ce936bef9a5dba2c9ef8638ae |
| SHA1 | e27a633f62f67a5be62f5aff03a853d8354fe07a |
| SHA256 | dd3dcae8406917d3827b8dbe9ed1feae7337b77aef516c77ca717c825009c46e |
| SHA512 | bb0fa08cdb74be7476779ea41241bfbeb888725b91940adb3dfe09052635e561b40d08717e2ceaac687b78aa42fd39b1bf8572d802a0b051df70dba8ef980518 |
\??\c:\4e11e994011483e76b906b9bc4e019\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\4e11e994011483e76b906b9bc4e019\ParameterInfo.xml
| MD5 | 5674d0bc3f4cdf572b9263332b2942c7 |
| SHA1 | 495c5ba176fe6a6cbd4c0d9b85c2d886de1be968 |
| SHA256 | cbe5b9a27b1dde70a9040790eaff798e6534ff1ec2b4702cc4be7221d18d2182 |
| SHA512 | 22d35950ee4291e42107a8b2d1fd1f305dcde9306480549b639f5c504247cfb73ba287f20e3e5232b3c35294176b0b3dbdc03c948561e90db0f22635efce7685 |
\??\c:\4e11e994011483e76b906b9bc4e019\1033\LocalizedData.xml
| MD5 | 5486ff60b072102ee3231fd743b290a1 |
| SHA1 | d8d8a1d6bf6adf1095158b3c9b0a296a037632d0 |
| SHA256 | 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706 |
| SHA512 | ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472 |
\??\c:\4e11e994011483e76b906b9bc4e019\1028\LocalizedData.xml
| MD5 | 12df3535e4c4ef95a8cb03fd509b5874 |
| SHA1 | 90b1f87ba02c1c89c159ebf0e1e700892b85dc39 |
| SHA256 | 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119 |
| SHA512 | c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808 |
\??\c:\4e11e994011483e76b906b9bc4e019\1031\LocalizedData.xml
| MD5 | b13ff959adc5c3e9c4ba4c4a76244464 |
| SHA1 | 4df793626f41b92a5bc7c54757658ce30fdaeeb1 |
| SHA256 | 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b |
| SHA512 | de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6 |
\??\c:\4e11e994011483e76b906b9bc4e019\1036\LocalizedData.xml
| MD5 | 30dd04ce53b3f5d9363ade0359e3e0b2 |
| SHA1 | 56bc3301013a2d0b08ecd38ff0a22b1040ef558e |
| SHA256 | bf03073e0e939f3598aeb9aa19b655a24c4ad31f96065d6dc60f7c4df78653ba |
| SHA512 | 9cb1ff9ba0dc018f9e1bd301fbcb9e5c561f6a14c65290ebc0fe67cbdf59d1a09898a2f802c52339c10942c819ebb4bdd8b4c7f5f4f78af95f7c893641e41a34 |
\??\c:\4e11e994011483e76b906b9bc4e019\1042\LocalizedData.xml
| MD5 | e87ad0b3bf73f3e76500f28e195f7dc0 |
| SHA1 | 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc |
| SHA256 | 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070 |
| SHA512 | d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c |
\??\c:\4e11e994011483e76b906b9bc4e019\1041\LocalizedData.xml
| MD5 | 6f86b79dbf15e810331df2ca77f1043a |
| SHA1 | 875ed8498c21f396cc96b638911c23858ece5b88 |
| SHA256 | f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f |
| SHA512 | ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818 |
\??\c:\4e11e994011483e76b906b9bc4e019\1040\LocalizedData.xml
| MD5 | fe6b23186c2d77f7612bf7b1018a9b2a |
| SHA1 | 1528ec7633e998f040d2d4c37ac8a7dc87f99817 |
| SHA256 | 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a |
| SHA512 | 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649 |
\??\c:\4e11e994011483e76b906b9bc4e019\1049\LocalizedData.xml
| MD5 | 1290be72ed991a3a800a6b2a124073b2 |
| SHA1 | dac09f9f2ccb3b273893b653f822e3dfc556d498 |
| SHA256 | 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c |
| SHA512 | c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217 |
\??\c:\4e11e994011483e76b906b9bc4e019\3082\LocalizedData.xml
| MD5 | 05a95593c61c744759e52caf5e13502e |
| SHA1 | 0054833d8a7a395a832e4c188c4d012301dd4090 |
| SHA256 | 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1 |
| SHA512 | 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3 |
\??\c:\4e11e994011483e76b906b9bc4e019\2052\LocalizedData.xml
| MD5 | 150b5c3d1b452dccbe8f1313fda1b18c |
| SHA1 | 7128b6b9e84d69c415808f1d325dd969b17914cc |
| SHA256 | 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2 |
| SHA512 | a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949 |
\??\c:\4e11e994011483e76b906b9bc4e019\SetupUi.dll
| MD5 | 0d214ced87bf0b55883359160a68dacb |
| SHA1 | a60526505d56d447c6bbde03da980db67062c4c6 |
| SHA256 | 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713 |
| SHA512 | d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5 |
\??\c:\4e11e994011483e76b906b9bc4e019\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\4e11e994011483e76b906b9bc4e019\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\4e11e994011483e76b906b9bc4e019\1033\SetupResources.dll
| MD5 | 0b4e76baf52d580f657f91972196cd91 |
| SHA1 | e6ac8f80ab8ade18ac7e834ac6d0536bb483988c |
| SHA256 | 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4 |
| SHA512 | ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87 |
\??\c:\4e11e994011483e76b906b9bc4e019\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\4e11e994011483e76b906b9bc4e019\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
memory/2996-108-0x0000000000170000-0x0000000000171000-memory.dmp
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\SysReqMet.ico
| MD5 | 661cbd315e9b23ba1ca19edab978f478 |
| SHA1 | 605685c25d486c89f872296583e1dc2f20465a2b |
| SHA256 | 8bfc77c6d0f27f3d0625a884e0714698acc0094a92adcb6de46990735ae8f14d |
| SHA512 | 802cc019f07fd3b78fcefdc8404b3beb5d17bfc31bded90d42325a138762cc9f9ebfd1b170ec4bbcccf9b99773bd6c8916f2c799c54b22ff6d5edd9f388a67c6 |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\SysReqNotMet.ico
| MD5 | ee2c05cc9d14c29f586d40eb90c610a9 |
| SHA1 | e571d82e81bd61b8fe4c9ecd08869a07918ac00b |
| SHA256 | 3c9c71950857ddb82baab83ed70c496dee8f20f3bc3216583dc1ddda68aefc73 |
| SHA512 | 0f38fe9c97f2518186d5147d2c4a786b352fceca234410a94cc9d120974fc4be873e39956e10374da6e8e546aea5689e7fa0beed025687547c430e6ceffabffb |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate1.ico
| MD5 | 26a00597735c5f504cf8b3e7e9a7a4c1 |
| SHA1 | d913cb26128d5ca1e1ac3dab782de363c9b89934 |
| SHA256 | 37026c4ea2182d7908b3cf0cef8a6f72bddca5f1cfbc702f35b569ad689cf0af |
| SHA512 | 08cefc5a2b625f261668f70cc9e1536dc4878d332792c751884526e49e7fee1ecfa6fccfddf7be80910393421cc088c0fd0b0c27c7a7eff2ae03719e06022fdf |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate2.ico
| MD5 | 8419caa81f2377e09b7f2f6218e505ae |
| SHA1 | 2cf5ad8c8da4f1a38aab433673f4dddc7ae380e9 |
| SHA256 | db89d8a45c369303c04988322b2774d2c7888da5250b4dab2846deef58a7de22 |
| SHA512 | 74e504d2c3a8e82925110b7cfb45fde8a4e6df53a188e47cf22d664cbb805eba749d2db23456fc43a86e57c810bc3d9166e7c72468fbd736da6a776f8ca015d1 |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate4.ico
| MD5 | bb55b5086a9da3097fb216c065d15709 |
| SHA1 | 1206c708bd08231961f17da3d604a8956addccfe |
| SHA256 | 8d82ff7970c9a67da8134686560fe3a6c986a160ced9d1cc1392f2ba75c698ab |
| SHA512 | de9226064680da6696976a4a320e08c41f73d127fbb81bf142048996df6206ddb1c2fe347c483cc8e0e50a00dab33db9261d03f1cd7ca757f5ca7bb84865fca9 |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate3.ico
| MD5 | 924fd539523541d42dad43290e6c0db5 |
| SHA1 | 19a161531a2c9dbc443b0f41b97cbde7375b8983 |
| SHA256 | 02a7fe932029c6fa24d1c7cc06d08a27e84f43a0cbc47b7c43cac59424b3d1f6 |
| SHA512 | 86a4c5d981370efa20183cc4a52c221467692e91539ac38c8def1cc200140f6f3d9412b6e62faf08ca6668df401d8b842c61b1f3c2a4c4570f3b2cec79c9ee8b |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate5.ico
| MD5 | 3b4861f93b465d724c60670b64fccfcf |
| SHA1 | c672d63c62e00e24fbb40da96a0cc45b7c5ef7f0 |
| SHA256 | 7237051d9af5db972a1fecf0b35cd8e9021471740782b0dbf60d3801dc9f5f75 |
| SHA512 | 2e798b0c9e80f639571525f39c2f50838d5244eeda29b18a1fae6c15d939d5c8cd29f6785d234b54bda843a645d1a95c7339707991a81946b51f7e8d5ed40d2c |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate6.ico
| MD5 | 70006bf18a39d258012875aefb92a3d1 |
| SHA1 | b47788f3f8c5c305982eb1d0e91c675ee02c7beb |
| SHA256 | 19abcedf93d790e19fb3379cb3b46371d3cbff48fe7e63f4fdcc2ac23a9943e4 |
| SHA512 | 97fdbdd6efadbfb08161d8546299952470228a042bd2090cd49896bc31ccb7c73dab8f9de50cdaf6459f7f5c14206af7b90016deeb1220943d61c7324541fe2c |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate7.ico
| MD5 | fb4dfebe83f554faf1a5cec033a804d9 |
| SHA1 | 6c9e509a5d1d1b8d495bbc8f57387e1e7e193333 |
| SHA256 | 4f46a9896de23a92d2b5f963bcfb3237c3e85da05b8f7660641b3d1d5afaae6f |
| SHA512 | 3caeb21177685b9054b64dec997371c4193458ff8607bce67e4fbe72c4af0e6808d344dd0d59d3d0f5ce00e4c2b8a4ffca0f7d9352b0014b9259d76d7f03d404 |
\??\c:\4e11e994011483e76b906b9bc4e019\graphics\Rotate8.ico
| MD5 | d1c53003264dce4effaf462c807e2d96 |
| SHA1 | 92562ad5876a5d0cb35e2d6736b635cb5f5a91d9 |
| SHA256 | 5fb03593071a99c7b3803fe8424520b8b548b031d02f2a86e8f5412ac519723c |
| SHA512 | c34f8c05a50dc0de644d1f9d97696cdb0a1961c7c7e412eb3df2fd57bbd34199cf802962ca6a4b5445a317d9c7875e86e8e62f6c1df8cc3415afc0bd26e285bd |
\??\c:\4e11e994011483e76b906b9bc4e019\vc_red.cab
| MD5 | c2b6838431748d42e247c574a191b2c2 |
| SHA1 | f01c1a083c158d9470da3919b461938560e90874 |
| SHA256 | 387e94a26165e4e5f035d89f9c6589a8a9d223978abbcc728b4c45c0115267a6 |
| SHA512 | 5cf95c3cbe10a75360bc4d02840e196c919bcd2fd42ba86192d25d781d00e8019217a9c8829f51a2924d8c95bd48e06728a3530e3344000cac79c4b0e7faff91 |
\??\c:\4e11e994011483e76b906b9bc4e019\vc_red.msi
| MD5 | 8f21bc0dc9e66f8e9d94197ae76698b3 |
| SHA1 | b48a08fde80f739657b819b94602f861f3ff57a4 |
| SHA256 | 5763364634bdb2097b6df6cde79ac5cce6069acecf27254c589e3cabffe53c2b |
| SHA512 | 88fd8870bc0f5dbdd2cb4a6a97cf4b1ab81d7ff77c2b2a4d1f6b34a730d0347a5022ecc8ca5b2e7c5f7c2cbe0486d5046cfafcb8167e001e1ac5e1797d03278a |
\??\c:\4e11e994011483e76b906b9bc4e019\msp_kb2565063.msp
| MD5 | 905fcc526204ddf1e6650212abc3d848 |
| SHA1 | aded77f45b75d796cc4795263c826c822df5f0d9 |
| SHA256 | 4cd45cf57644d49b4c8f96e4a0efdc46a5ba196fa4f5a10190f790ccc74bb1bf |
| SHA512 | 9470fcd540ea542936120782aa31abecaf5d20cadd13ff82ad346f78f95020958937beb2bfcf5ea4de92c978338f5a324e334229c79f8166c66a1465e191ba47 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240708-en
Max time kernel
121s
Max time network
135s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe"
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x64.exe" -burn.unelevated BurnPipe.{FEEE4763-EA21-4AAB-8E68-F99E8F0B8B77} {4272A91B-382B-42F9-957F-BC5E5BF47C13} 2212
Network
Files
\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\wixstdba.dll
| MD5 | a52e5220efb60813b31a82d101a97dcb |
| SHA1 | 56e16e4df0944cb07e73a01301886644f062d79b |
| SHA256 | e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf |
| SHA512 | d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e |
C:\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240903-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 244
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
172s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1756 wrote to memory of 4216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 4216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 4216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\glew32.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4216 -ip 4216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240903-en
Max time kernel
119s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libcurl.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 228
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20240903-en
Max time kernel
122s
Max time network
133s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2688 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2688 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2688 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2688 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 340
Network
Files
memory/2688-0-0x0000000074270000-0x0000000074321000-memory.dmp
memory/2688-3-0x0000000074270000-0x0000000074321000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
167s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GeometryDash.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3020 -ip 3020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1040
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/3020-0-0x0000000074EE0000-0x0000000074F91000-memory.dmp
memory/3020-3-0x0000000074EE0000-0x0000000074F91000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win7-20241010-en
Max time kernel
13s
Max time network
24s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\IGG-GAMES.COM.url"
Network
Files
memory/2792-0-0x0000000000200000-0x0000000000201000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
161s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1924 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1924 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1924 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\iconv.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
162s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3940 wrote to memory of 4112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3940 wrote to memory of 4112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3940 wrote to memory of 4112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\libExtensions.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4112 -ip 4112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\GAMESTORRENT.CO.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-03 05:03
Reported
2024-11-03 05:10
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
167s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe"
C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Geometry Dash 2.11 Funcional\_CommonRedist\vcredist\2013\vcredist_x86.exe" -burn.unelevated BurnPipe.{B681A8BC-3F72-45A6-AB9A-45C0AA778913} {4C796837-D8F0-4E03-A51A-0C4D546CEE4D} 1072
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll
| MD5 | a52e5220efb60813b31a82d101a97dcb |
| SHA1 | 56e16e4df0944cb07e73a01301886644f062d79b |
| SHA256 | e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf |
| SHA512 | d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e |
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |