Analysis Overview
SHA256
2718e831ac3db9a05ad546de42908348e6aaf55ba5025292d23dc274bfcb6c38
Threat Level: Shows suspicious behavior
The file GDLauncher__2.0.20__win__x64.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Checks computer location settings
Drops file in System32 directory
Executes dropped EXE
Checks installed software on the system
Drops file in Windows directory
Drops file in Program Files directory
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Browser Information Discovery
Reads user/profile data of web browsers
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Enumerates system info in registry
Checks processor information in registry
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 10:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
99s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3764 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2236 -ip 2236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
107s
Max time network
139s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
148s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
107s
Max time network
149s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
98s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3168 wrote to memory of 4064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3168 wrote to memory of 4064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3168 wrote to memory of 4064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4064 -ip 4064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
98s
Max time network
138s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4708 wrote to memory of 1980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4708 wrote to memory of 1980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4708 wrote to memory of 1980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
98s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3668 wrote to memory of 4156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3668 wrote to memory of 4156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3668 wrote to memory of 4156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4156 -ip 4156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 4024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GDLauncher.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\URL Protocol | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\ = "URL:gdlauncher" | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open\command | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.20 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x528,0x52c,0x530,0x51c,0x534,0x7ff6e66ff648,0x7ff6e66ff654,0x7ff6e66ff660
C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe
C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1896 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=cs --cs-app=GDLauncher
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2220 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2684 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3656 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
C:\Program Files\Java\jdk-1.8\bin\java.exe
"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --muid=adb74a79-b134-1e29-8428-787d6dcb8380 --phase=63 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_37343\java.exe
"C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_37343\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Program Files\Java\jdk-1.8\bin\java.exe
"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=3712 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x500
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2296 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gdl.gg | udp |
| US | 172.67.73.58:443 | api.gdl.gg | tcp |
| US | 8.8.8.8:53 | electronapi.overwolf.com | udp |
| US | 8.8.8.8:53 | electronapi.overwolf.com | udp |
| US | 8.8.8.8:53 | tracking.overwolf.com | udp |
| US | 8.8.8.8:53 | tracking.overwolf.com | udp |
| US | 8.8.8.8:53 | analyticsnew.overwolf.com | udp |
| US | 8.8.8.8:53 | analyticsnew.overwolf.com | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 8.8.8.8:53 | features.overwolf.com | udp |
| US | 8.8.8.8:53 | features.overwolf.com | udp |
| FR | 13.249.9.62:443 | electronapi.overwolf.com | tcp |
| FR | 18.245.175.10:443 | analyticsnew.overwolf.com | tcp |
| FR | 18.245.175.10:443 | analyticsnew.overwolf.com | tcp |
| US | 52.21.153.248:443 | tracking.overwolf.com | tcp |
| US | 52.21.153.248:443 | tracking.overwolf.com | tcp |
| US | 104.17.246.203:443 | unpkg.com | tcp |
| FR | 3.165.136.129:443 | features.overwolf.com | tcp |
| US | 52.21.153.248:443 | tracking.overwolf.com | tcp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| FR | 18.244.28.67:443 | content.overwolf.com | tcp |
| US | 8.8.8.8:53 | 62.9.249.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.73.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.175.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.246.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.136.165.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.153.21.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.28.244.18.in-addr.arpa | udp |
| FR | 18.245.175.10:443 | analyticsnew.overwolf.com | tcp |
| US | 172.67.73.58:443 | api.gdl.gg | tcp |
| US | 8.8.8.8:53 | electrondl-overwolf-com.akamaized.net | udp |
| US | 8.8.8.8:53 | electrondl-overwolf-com.akamaized.net | udp |
| GB | 2.19.117.102:443 | electrondl-overwolf-com.akamaized.net | tcp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| FR | 18.244.28.15:443 | content.overwolf.com | tcp |
| FR | 18.244.28.15:443 | content.overwolf.com | tcp |
| FR | 18.244.28.15:443 | content.overwolf.com | tcp |
| US | 8.8.8.8:53 | 102.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.28.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | cdn-raw.gdl.gg | udp |
| US | 8.8.8.8:53 | cdn-raw.gdl.gg | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 172.67.73.58:443 | cdn-raw.gdl.gg | udp |
| US | 172.67.73.58:443 | cdn-raw.gdl.gg | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:1025 | tcp | |
| N/A | 127.0.0.1:1025 | tcp | |
| N/A | 127.0.0.1:1025 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 54.83.233.222:443 | tcp | |
| US | 8.8.8.8:53 | 222.233.83.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1608_VQJZTAZVMVJUMJBC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data\gdl_conf.db
| MD5 | cc3733801ee562c3dc7054fe86f90980 |
| SHA1 | bfd8aab5ad354e107aac0b44f71b4da5bf2d273e |
| SHA256 | abfd86d6a3a00ed4516cc623069f7bc63c8b7cab74b6ab5488261914b6a31265 |
| SHA512 | 074f4d6aed5ca12f9ae57e73851bc091b2d4b097c35882e306e65c8308e29456c711bddc87e2fbd5aa6fa628ca335a16fe56423cd1e873aeabce64b244cc2a0a |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/2068-64-0x00007FFF41FE0000-0x00007FFF41FE1000-memory.dmp
memory/2068-63-0x00007FFF41B10000-0x00007FFF41B11000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Shared Dictionary\cache\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
memory/4888-139-0x000001FBD6550000-0x000001FBD6572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edvnmk3u.jvi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4888-157-0x000001FBD6A80000-0x000001FBD6AC4000-memory.dmp
memory/4888-166-0x000001FBD6B50000-0x000001FBD6BC6000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Session Storage\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/2016-188-0x000001C446C00000-0x000001C446C2A000-memory.dmp
memory/2016-190-0x000001C446C00000-0x000001C446C24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JavaCheck.class
| MD5 | 8098d31488cd52db41f95188b9daed5e |
| SHA1 | 76988b607c667c86211fe1dfe57ed4aedacc5691 |
| SHA256 | c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5 |
| SHA512 | e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78 |
memory/2144-221-0x0000019882F80000-0x0000019882F81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 432f9dde51413638aa680afc11009cee |
| SHA1 | 3a457e5820bae4e2e8f4c805e020e6431fd90fcd |
| SHA256 | 882b1f9d2025c7bdd95f6bf95011745281f84b65326027b5ad7903e67cb5ca65 |
| SHA512 | b3a7be48d871b29bc995bacd66d66cbc2def0723fe232f3b58826581954c30c95c8c235ab63d026b576294ca7ab45ccded9a6f35a7121f311f71c429cbf59549 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6e8a22d25f5b76a8d6ec8aee6df8be5f |
| SHA1 | c587d7d3db3925a4a74782de196b7b05fb73e73e |
| SHA256 | c12f1de062291c115fd4af16fb0b5236d75e063d65841f5be33d35018812f5fc |
| SHA512 | 76b9e5729d65622b8c0e1e1292a92c6df3021cccf0516f9f19af0dac23514b593296d445111071912b2d5e7afa184707f3b189d955c9e77ba4226fc1be0aa7b2 |
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\owpm.log
| MD5 | 0e9058fb9054d5b35feb01048bf6b84f |
| SHA1 | 3c69f0d1ae047e1c1e34437db0309a1d77a66de8 |
| SHA256 | 9c98754c8fe719f5bbd0186fb16a4564fcbabb0ffe73be89b2a7abdca4de72df |
| SHA512 | 2f31dc897fb9939d938f5794045d6db39093ea8aa3b8203ac4afdd43392d4be7ee52bfb2ce78b3adfbeda3b8c678f49c44dce7609da4dd83a1a986eda80c90a5 |
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk
| MD5 | 9c01e71fd87f8548f1433a01bd41cc01 |
| SHA1 | f3961505e96038d96f0f87f3e47f5e49e66c390d |
| SHA256 | cefa09c7f9c0309fbb3f49ea34cae8ccd095d6612f3fc1b9c8e1912e1ad44d5d |
| SHA512 | 36641fabf05de49e1bb5f99acec7dfa0388dae44bab1e564b70d47512ec059958b1109a67454759021593826b4c1b605021047385144c79303fce1a5e55776d9 |
memory/2608-264-0x000002D6ABC20000-0x000002D6ABC21000-memory.dmp
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\2.1.3\ow-electron-utility-plugin.node
| MD5 | 2e8dec2f5f64f92ee8a906817dfa20f6 |
| SHA1 | 8ceeac10c096e7e0dae87c1b5283c3d66d421652 |
| SHA256 | 6b6b2c7784b4b3bd2f9709df3093b49197005e047e74b0784d80482e1cc17fab |
| SHA512 | 8e17acf0cf73836eef6961d1ec3e3e91489ae8b933c33b96812c5bcde908c9ac5a812cbbf19b41489bcaabc005fd51550b3f277c6678f6026f3a06c3b824f617 |
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log
| MD5 | 13fef188aa9b7a37cf0676774b028d57 |
| SHA1 | 8f7cfb4dd48054f0c37af40bf7b48907e1be176f |
| SHA256 | 04e0ed55cdc3778773dc70400a2f15b0275ad9d412ec61568d24dd4fbfc158ce |
| SHA512 | 8e95ce8f5bf742231be690e5c11ae65381a638512bb59cf50a2f449a54c31da1f0cf5e049d907e4b87425e695da1675a3b1d638355881b099c0172c9d7a2dde6 |
memory/1080-299-0x000001F9E75D0000-0x000001F9E75D1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 792a0f700e26a7cbe9b6c90271e359bd |
| SHA1 | 15d27d64261809f0524eb6ebfd5daa6696caaf54 |
| SHA256 | afd610b3ea1f4f5ec55af89e56acc435678b31f7eb7d29fe2db5dda2a97f3200 |
| SHA512 | b4ac23efa712326e95b0589b171303665d12a4628e3b299aa3dbc5bb9d411c2d3cfa263f9dd297f57eabf38fda492dbf793f5ec9a249194d737712b0166a3c11 |
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log
| MD5 | 2e47aa8190afff4bf724b4aa049adfba |
| SHA1 | 563ea9db82686da1f072ce83c2877bfea3c1e3de |
| SHA256 | 0f40fbba7080f3f7d10295a4c96fc549943359a92310e2484cd1548af65d2e72 |
| SHA512 | b33d74693b4be5640e515291c962a8b74e97578f2e981dde78aea48137a83c8530daeb28ed27af78e15adce30af8e03c05c9961914f6fcee5a1eb216865d9f74 |
C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp
| MD5 | c5eb8f040f95db8be9b01b83df45e753 |
| SHA1 | 4b69a1df2c60462320a1aceb0b7ec593412bfe9e |
| SHA256 | aa9569442bc21bc4c3c7274884e4df364b939b413514acd645c1d2566772c8d3 |
| SHA512 | 453bb0297871e34b7f5be358ab9efd59a12cfff3db73b0c3d1c32cee63f21e59d6d3ea46171a92f1a7a04cc5b89b6db801a548589d22329d72d48f6e9d3c9f9d |
memory/2992-325-0x000001EF9BDF0000-0x000001EF9BDF1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | d0d555099f56613fbbfc4292e37ecb30 |
| SHA1 | da5e5ab0258d99a80b6f4fdcf97df7896cc9e24f |
| SHA256 | 7c88153f8f886cafe15cedc4db45027b03a6428db3a5f4add4f4d87edc88cfa5 |
| SHA512 | a6ecbc1fbe5fb0604f96a2da8e5fbc65da0d4313078086dcedebce981a793c5b8626d8b161b88075b53fa3feb1f4978e86ca2e8a6faba4febfbfade4b6f2d4d5 |
memory/4280-338-0x0000018FA0F70000-0x0000018FA0F71000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\sentry\scope_v3.json
| MD5 | 2ec4455ef4cd9361bd12254a88f46b9c |
| SHA1 | 31d3b2ee78a07fda1b2d9bb78b1fa014bc1e4600 |
| SHA256 | 18a87971ca52f0f068213cd0679132af21e6496890cd169b021d87dd5e5dff79 |
| SHA512 | 32214c0ab4dc8dff6e3553c8d6d59429e2d764789ed040bebc988dcb463570a8fdce15a9c6096eb2c9e9d202f1432cb8c120124c305ee614f64722a07a4382b6 |
memory/4416-350-0x00007FFF418D0000-0x00007FFF418D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\9479decd-abd9-4121-97a1-cd012a6ebcc3.tmp
| MD5 | 58127c59cb9e1da127904c341d15372b |
| SHA1 | 62445484661d8036ce9788baeaba31d204e9a5fc |
| SHA256 | be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de |
| SHA512 | 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State
| MD5 | ce0d22daa2e8f958cb81f26f36c9fa31 |
| SHA1 | 093f8e1c8c045950cdeca4814a0a27a94a69aebd |
| SHA256 | 4645a3dc2ce227f59359d5df18d03ee6c51fa116b996f2b8be0259ed8c495956 |
| SHA512 | 066af56b9b2011ec14e1f3e30aa11c5caa74d2cee620483f648506f918d3b1042695fefa36888196d39285f1b1b13372991c6ed74fa6d65f265d37a023f9ccc8 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State
| MD5 | 54360ea374d7b08f5f47ff42f2b0ad12 |
| SHA1 | cca2fe5c6699df8931a81ed8e38dcb7bf004ead0 |
| SHA256 | 90a1a52f056d2272e3ec7a8333d76e4633d72ba0b9caee83ca5abbc8bea886e3 |
| SHA512 | 153b6071ded92ccd51d0596ef1d5552cdca4123c2c8ea19df96bce2bb9caaa2f11eb54c5c5330f9a3dcffc2d58dac4c9c9289961cf7862bbebbd0e4cbb0d2e29 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
memory/2116-430-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-431-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-429-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-441-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-440-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-439-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-438-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-437-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-436-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
memory/2116-435-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
146s
Max time network
146s
Command Line
Signatures
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1adb15e5-adbf-4902-9e27-d8f4aadc6501.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241113101100.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd87c346f8,0x7ffd87c34708,0x7ffd87c34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6c19f5460,0x7ff6c19f5470,0x7ff6c19f5480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c29339188732b78d10f11d3fb23063cb |
| SHA1 | 2db38f26fbc92417888251d9e31be37c9380136f |
| SHA256 | 0a61fa9e17b9ae7812cdeda5e890b22b14e53fa14a90db334f721252a9c874c2 |
| SHA512 | 77f1f5f78e73f4fc01151e7e2a553dc4ed9bf35dd3a9565501f698be373640f153c6d7fc83450b9d2f29aeaa72387dd627d56f287a46635c2da07c60bc3d6e2c |
\??\pipe\LOCAL\crashpad_2572_HCDLAMDYSGALGZDZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ccff51f965f8f4176e4ad112c34c86a7 |
| SHA1 | eab249ca0f58ed7a8afbca30bdae123136463cd8 |
| SHA256 | 3eb00cf1bd645d308d0385a95a30737679be58dcc5433bc66216aac762d9da33 |
| SHA512 | 8c68f146152045c2a78c9e52198b8180b261edf61a8c28364728eafb1cba1df0fa29906e5ede69b3c1e0b67cfcbeb7fde65b8d2edbc397c9a4b99ecfe8dea2dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 86aa28ffd286b08415aa197216684874 |
| SHA1 | d99924976c73e3220108817ad6bc1d8b1795ca2d |
| SHA256 | a6dc4bc6ade3039e57b538f2620b91602199f1908b23c4a2beb3fd3aa721579d |
| SHA512 | a51fbd1af778d32f2f95a9a863a59f42a7eb804dbb8ce85459297959eea21fbfe9625d74c3f91ad65016031d4b3e26eeb748c1c59e09ac68778fc670d408d0fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a1048a714a4b3a214b70e915b6db27b2 |
| SHA1 | 76c5bc6c4c9f3f103d0eff761196580acfd3b39e |
| SHA256 | 9a72a9551ee4d7336a1481866647f6ced31d03f2f6e6f518492650a75e5b2b94 |
| SHA512 | d7b2309364b68df5cefee88b149896bd9dfdae62f238e0fbe5e4bf7b7e7d0c68d0b2a4efc5801f4b532612b544f80d24007809734b702a5d6d0279dd8ab18a4d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 9c9788da83a3ed9f4a6ab738de371c89 |
| SHA1 | dc8376adcd1f85f1736218a8c94bba3966b76857 |
| SHA256 | 9c480979559fb7e49f86537bbc76ef8b535bd8abc6049f6c5385088909f6bfc8 |
| SHA512 | 22e50c0bd1d9ee5b611caaf01dd4a93be5865ed4c5a7f8391467b5b78fed0b628d1ec6b94167af29a511b9ad0ec4e74032a321f94bfcbe7335c13dce7d21c112 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 0434360deb6f59ce2644dac3455da849 |
| SHA1 | bf3cba1c128c511b0e66e79a6c61808c40c17d15 |
| SHA256 | 2821083539c430e43f56729ec4de33283071b09b229dacff00858ce66f8b8414 |
| SHA512 | eb4fb5bc1b589c39a2e7f24ba1283723757461ac4adb2c8553217047c020f5bc462d8ce6739a5ffa981b5134bfe36381ef0cd6fa0f2ac73eaab88754e366130e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7bcf5d1de2e64eb21c6e309475d93110 |
| SHA1 | 0e8d30bf2add415dfe38061396473e79664b7adf |
| SHA256 | 968d307fe00050edea57ee39081315413caf802c3cfc26a9118c4e21686d3491 |
| SHA512 | 3d5b4bbe28f44c73b06c937f0535a8a4d6c92076bde40d37e26c6e55fca6b1d8d6de203722187cc1c67f0b2ed3d93c6faa1faac3363ca6d2cd1bc315a2c1abcc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2743d0593e331d5ad5f40a81b5013f85 |
| SHA1 | b1f436124ed2e3a828ccb0190924bec36e7ac5c7 |
| SHA256 | c483e96d54386624c4a43f5b941d810fd9f92072f0de10aca099503c5124f3ae |
| SHA512 | 2693fc3db60f55e70d7e98ac4298025425de0bbc1f241156e94d25ff968d7b16f00e72d56146bdc0187c624c81d6aa65a5c22c43a020e8ea0052e755106e8b51 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 26978f38b0bce48572b90b762b7d937c |
| SHA1 | 8b8b88012fab1d37fca79575a5db81674b424867 |
| SHA256 | b38f05e2e63a1f87026aed06f5b85354570c6f91d28947466f0555276bab6afa |
| SHA512 | 501e0de5f46bfaac901cde5c39a321edc411426fd91c83427f36710fa56d20b5f6ab8f2219d963f7ab495c2df7def879652381db3876b7e2a7080921cce78379 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4dcd258a22f2a661830891ebc3e176d9 |
| SHA1 | 051a4c947ed89d2622c39686385706c0d0efa092 |
| SHA256 | c32198c5bac6eeeb2220b5d3bd53346b988deae67f7c0d91b40cd8ab4a0b5b89 |
| SHA512 | 837d5c297d307301b14c6ea05b2d1ed4c529332b8d60e1f767ea372af01257e21fececae20c7e8b99889976ff40205f387a8376f3809d75d509f0fd1f12da891 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
148s
Max time network
164s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\owutility.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3588 wrote to memory of 2444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3588 wrote to memory of 2444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3588 wrote to memory of 2444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2444 -ip 2444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 3476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2392 wrote to memory of 3476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2392 wrote to memory of 3476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
138s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 704 wrote to memory of 4876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 704 wrote to memory of 4876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 704 wrote to memory of 4876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
99s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3224 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:12
Platform
win10ltsc2021-20241023-en
Max time kernel
129s
Max time network
128s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\URL Protocol | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\ = "URL:gdlauncher" | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\shell\open\command | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\shell | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\shell\open | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\@gddesktop\\GDLauncher.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe"
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.20 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x54c,0x550,0x554,0x540,0x558,0x7ff69e23f648,0x7ff69e23f654,0x7ff69e23f660
C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe
C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1916 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2224 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe --type=cs --cs-app=GDLauncher
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2744 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3688 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
C:\Program Files\Java\jdk-1.8\bin\java.exe
"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3868 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\app.asar" --muid=cf701bf4-8488-e645-a22f-d66c86cf2be8 --phase=58 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_36812\java.exe
"C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_36812\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Program Files\Java\jdk-1.8\bin\java.exe
"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=3768 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x2c0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.61.93:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gdl.gg | udp |
| US | 172.67.73.58:443 | api.gdl.gg | tcp |
| US | 8.8.8.8:53 | 58.73.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | electronapi.overwolf.com | udp |
| US | 8.8.8.8:53 | electronapi.overwolf.com | udp |
| FR | 13.249.9.99:443 | electronapi.overwolf.com | tcp |
| US | 8.8.8.8:53 | tracking.overwolf.com | udp |
| US | 8.8.8.8:53 | tracking.overwolf.com | udp |
| US | 8.8.8.8:53 | analyticsnew.overwolf.com | udp |
| US | 8.8.8.8:53 | analyticsnew.overwolf.com | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 8.8.8.8:53 | features.overwolf.com | udp |
| US | 8.8.8.8:53 | features.overwolf.com | udp |
| US | 3.208.91.189:443 | tracking.overwolf.com | tcp |
| US | 3.208.91.189:443 | tracking.overwolf.com | tcp |
| US | 104.17.247.203:443 | unpkg.com | tcp |
| FR | 18.245.175.87:443 | analyticsnew.overwolf.com | tcp |
| FR | 18.245.175.87:443 | analyticsnew.overwolf.com | tcp |
| FR | 3.165.136.48:443 | features.overwolf.com | tcp |
| US | 3.208.91.189:443 | tracking.overwolf.com | tcp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| FR | 18.244.28.15:443 | content.overwolf.com | tcp |
| US | 8.8.8.8:53 | 99.9.249.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.247.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.175.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.136.165.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.91.208.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.28.244.18.in-addr.arpa | udp |
| US | 172.67.73.58:443 | api.gdl.gg | tcp |
| FR | 18.245.175.87:443 | analyticsnew.overwolf.com | tcp |
| US | 8.8.8.8:53 | electrondl-overwolf-com.akamaized.net | udp |
| US | 8.8.8.8:53 | electrondl-overwolf-com.akamaized.net | udp |
| GB | 2.19.117.100:443 | electrondl-overwolf-com.akamaized.net | tcp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| US | 8.8.8.8:53 | content.overwolf.com | udp |
| FR | 18.244.28.15:443 | content.overwolf.com | tcp |
| FR | 18.244.28.15:443 | content.overwolf.com | tcp |
| FR | 18.244.28.15:443 | content.overwolf.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | cdn-raw.gdl.gg | udp |
| US | 8.8.8.8:53 | cdn-raw.gdl.gg | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 104.26.1.51:443 | cdn-raw.gdl.gg | udp |
| US | 104.26.1.51:443 | cdn-raw.gdl.gg | tcp |
| US | 8.8.8.8:53 | 51.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:1025 | tcp | |
| N/A | 127.0.0.1:1025 | tcp | |
| N/A | 127.0.0.1:1025 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\SpiderBanner.dll
| MD5 | 17309e33b596ba3a5693b4d3e85cf8d7 |
| SHA1 | 7d361836cf53df42021c7f2b148aec9458818c01 |
| SHA256 | 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93 |
| SHA512 | 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\chrome_100_percent.pak
| MD5 | 4fc6564b727baa5fecf6bf3f6116cc64 |
| SHA1 | 6ced7b16dc1abe862820dfe25f4fe7ead1d3f518 |
| SHA256 | b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb |
| SHA512 | fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\chrome_200_percent.pak
| MD5 | 47668ac5038e68a565e0a9243df3c9e5 |
| SHA1 | 38408f73501162d96757a72c63e41e78541c8e8e |
| SHA256 | fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32 |
| SHA512 | 5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 5a614e7d0fdfa8b37e8e050361c2909a |
| SHA1 | 8ed59dc41bac11ba10344bd426f69a57f9738de9 |
| SHA256 | 568bcce599c8f67dc31e6472c419002490907d8b0fecca1f93da051d96977071 |
| SHA512 | f4fab716de19a77085f4deb85bb682161733d9b9e66a171ca5cfe235587c85d2192660552b44d836eaaf7a68191352ad599258e488921d8bb61d9ed074bf6c77 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\ffmpeg.dll
| MD5 | 4c01b367aa3b0b9726a08074df302f94 |
| SHA1 | cae3a29495800bc30b33464c9ba00b8bb624ffee |
| SHA256 | 5e1fe207fd4919d26600ccb219c8849c35ccf3ccd5036cafaca0ea275afca32c |
| SHA512 | 0a912b65a769df5282c49e34839e2451fb06156f30b132f5e1f7677ed801be1d18403e1009fb02f43690c237cddb0e6555c8623a25de28bfbc87fb278d60a974 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\icudtl.dat
| MD5 | e0f1ad85c0933ecce2e003a2c59ae726 |
| SHA1 | a8539fc5a233558edfa264a34f7af6187c3f0d4f |
| SHA256 | f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb |
| SHA512 | 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\libEGL.dll
| MD5 | e18a27ba4b9ebd23505af33f1b4cabab |
| SHA1 | 5cc6c4738bb57c3a008d1f745aaa457891412736 |
| SHA256 | 1307ff9dce08e39f24e7a3a43a8843191f951f0424bf2dd8ed4740e417de88b3 |
| SHA512 | 2daa4d9b78ae00d9eecd8d336ce92abec3719d5650eb71d653f232380feecc6f68db7abc7b7ee1dd86efd6590e9ea10283a68acf63501a9dad6c37ed8ce4503c |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\libGLESv2.dll
| MD5 | 03b1b0060eabab709ce88d844c4f6b6d |
| SHA1 | cd3f6e4689d3a7d88b5c51e41bcc1a9d8db6bb2b |
| SHA256 | 1ec2db6b243365f7f8099fb29bc56b96076299ee48e007474e6d769353a8bc05 |
| SHA512 | 92b87c005635b49d80d355f6b3de0ee1513f35e25ba666974a4772b1ccc9d220ce51789656bd85302fa006d4490a1999eaeb75a4f459519a9de992d84e5b5a96 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\LICENSES.chromium.html
| MD5 | fcb299831276a7c8bdeb036142da1c25 |
| SHA1 | bf6990abb92ab627b7f2e7aecbd5a58b86d2e09a |
| SHA256 | 6daa3cd398e5380222c6b6bdb4d66a4b4273d4bb74d6bf53495a5722f03ac0dc |
| SHA512 | 1e31ac0b6836d24488e32d04b5028ac2a9e00ebd8e29aaf742d9e0cdb50d5a9d4f7bcc3919b22a793552d31aaed2104415268f14e903754bf25a86510fbc98c9 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\owutility.dll
| MD5 | 2c050de41b36dabdaeeacf38e76b6c9b |
| SHA1 | aa6fccc7cf02c97079f21e179c8217beaa69c32a |
| SHA256 | b8d800a059fcb3f7a687dc87d9cefcc527f22b0fdadf11bf2400ae8007d2ac0f |
| SHA512 | 11a2b85701ecf4d7f0e220e2cc86f85460dd923f3429bcbb65755e4dc00fd073dfa2e46a3f0f1c09e19d68865b09292ac02a7bda65b8849283521f558f2bb568 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources.pak
| MD5 | b5392415d53abf8bfd55923a09d22086 |
| SHA1 | f1dc1dd77a762e541885c34b492734263791c5ed |
| SHA256 | 87dfc68cc6d5626e9c27e49c540878fdec2851ff9546932ffde65fb9e7ba61c7 |
| SHA512 | b4e837a5fd7a39bbf88cb8ff71d49bacc898ac18ba9b3da505e9d6e6d436c4388dce5ae7a1856a04624dce237bebfc442f489a866aff30d85ab29b35228371fa |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\snapshot_blob.bin
| MD5 | d20922aefcad14dc658a3c6fd5ff6529 |
| SHA1 | 75ce20814bdbe71cfa6fab03556c1711e78ca706 |
| SHA256 | b6bea91727efb8c88e7c059856553d3a47abd883e60dd60efc01b04dc6eec621 |
| SHA512 | dbd63a9f01feb3c389c11b55d720b5d689558626041fb1dd27ded2be602e5e2a8d210f785fde025d7b9959f81de3df7fef06981269b58be564df05aec190dd1c |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 1e4da0bc6404552f9a80ccde89fdef2b |
| SHA1 | 838481b9e4f1d694c948c0082e9697a5ed443ee2 |
| SHA256 | 2db4a98abe705ef9bc18e69d17f91bc3f4c0f5703f9f57b41acb877100718918 |
| SHA512 | 054917652829af01977e278cd0201c715b3a1280d7e43035507e4fa61c1c00c4cd7ed521c762aebd2ea2388d33c3d4d4b16cee5072d41e960021b6f38745a417 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\vk_swiftshader.dll
| MD5 | 925338079e6608119e33e79a44bf8f73 |
| SHA1 | 9e857d320819f88d72e219452a1c7ac0b87b5e2e |
| SHA256 | e43c94e95d0a88951b25927457c45986e7ed9633fec476dba6ead8f4e6079eb6 |
| SHA512 | 3d6e4584c2ce610c167a6c88fea337861772873367c67fc8762c070d8d88ee333c49a58b00562168235f9a803b58cdfa5876e9f418b9d3c1f418147dc74fa6f7 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\vulkan-1.dll
| MD5 | 1564b094baaf6d9a34c07160ecd3016b |
| SHA1 | 4d40959f7e5423e05aeea55833a7dc19800b9965 |
| SHA256 | b45d5e6bf092d779060829894a61ec312f806bf8b2f73dc4fa18d1ce3ef69c2e |
| SHA512 | 775c8a5c4dd11af46c884a10ac53ae2a93bb7f5acc864ee2f74d3df52bbad417fc978e83876a4a52860a121ec17a92e18adb79c5f1ccfa615091a26b401013fb |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\af.pak
| MD5 | 862a2262d0e36414abbae1d9df0c7335 |
| SHA1 | 605438a96645b9771a6550a649cddbb216a3a5b1 |
| SHA256 | 57670eae6d1871e648ad6148125ee82d08575bec5b323459fc14c3831570774a |
| SHA512 | a789a4cad72106a5c64d27709b129c4ae6284076f147b7c3fcb808b557a3468b4efe3ede28033f981335d5eab986532c0497ddd6ed24b76189fe49366692ee73 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\am.pak
| MD5 | 4eaa15771058480f5c574730c6bf4090 |
| SHA1 | 2b0322aae5a0927935062ea89bd8bd129fa77961 |
| SHA256 | b05dcb8136751aee5eced680a5bad935e386bfce657dd283d3ec00ee722fd740 |
| SHA512 | b67e7dd24eadc91d4cd920f8864cfb23a9c67b2cecd54ec97e01705636604ce504dc417d6af1c53f374b58eddf71a12bb82248bd8fd68307161d4833342681a9 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ar.pak
| MD5 | 2b2dfafb0d258c1d2b58e51ae1ee9ab5 |
| SHA1 | 2a538491ff4023d29bdf2a053447c6016138d9f2 |
| SHA256 | ea49bc2ceb6b185030eaa0ee0155feca90e632390417299113b02fbe365ff731 |
| SHA512 | 6b629ed83edfea1b1ff3c379009332e413c420de651a24160fae859e1e0948fbebab99c9da714df6dfad3b9e472dece7bee95815ceca428183f4ac0bd6d42ff3 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\bg.pak
| MD5 | 0e8005b17ac49f50fb60f116f822840d |
| SHA1 | f2486da277de22e5741356f8e73e60b7a7492510 |
| SHA256 | 50e4f6b9c387adf4baba3377c61d99326cc3987928d8d60b88d1ac29352820ea |
| SHA512 | 5df18bbeabd56e70d4c5a80dee5b7ce48259000665941634937e556e3b3a1c6403aa45c410f6f755607549c9dd35d722987b447c50efca51228ffeca4628756d |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\bn.pak
| MD5 | c8173f0cc63ca9e02c07abec94892b53 |
| SHA1 | 2688b199cc40bb2082247fa451eac1304608e48b |
| SHA256 | e6adcfb4f3b3bccd4a27edadc168b503c36551cd6b27fb24043efeb21f691ce5 |
| SHA512 | 3d2317430722dc15c5d938fa55235af1caa03dcff7a574b44d37d89e7cf2c94dd2e84518b3eeca4a5a8dbec1b99d94aed97429aaf55c63998002d50ce9cb5019 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ca.pak
| MD5 | d193a3ac614f64f4754c9df5cf00e880 |
| SHA1 | 0da0f7c1a4048074f6fe9d70704aa93ff75e42f9 |
| SHA256 | 4ecfa3785ab52564e0bd7dda04d59a30163561588a04f3bd1b1b71de051d2c53 |
| SHA512 | e85d18951f9a1a86514d577f9b19a4b3727523c15b4ccdd17217f6fdf69a0e774a36874108a05de1be3dcee1720b0cb19eced2d3283f57f41f5f9c5e233e1c68 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\cs.pak
| MD5 | 70f320d38d249b48091786bd81343afc |
| SHA1 | 367decdcdad33369250af741b45bdc2ca3b41ab3 |
| SHA256 | 1c9448ea3aefce1a7e1491e73af91af772d8b22d538676a2beab690558e668fa |
| SHA512 | 02b08ed9261fd021e367995551defaf4b4f54c357409a362f4d2470423644913375cac444f62153ec2963a84880a30a36f827dbfacdd76a6222838c276cf5082 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\da.pak
| MD5 | 0e4207e2cf5741a8968617df9174a681 |
| SHA1 | bf9b7558141ad30bbc921992e48d48cd6d6ab475 |
| SHA256 | 438d2b1fd396c2108ca3902f69eeb372219edd5d95fe70970d8ee9e64556c9a4 |
| SHA512 | 4ed8368013912c408f7e5f7b4f6f1748834e5506307b92f4b669c557efd27363a55b4e2918eb7707e798878c9492b765f24ab9c90e843f54e8641c4646bc72da |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\de.pak
| MD5 | 141045fc1f94f93e82db06db4f7321c8 |
| SHA1 | d63d226c531a710359cb65f4e6aa190f593b4d54 |
| SHA256 | 47253e2fcf0e4691f29b3ebbe8f888a97b28d6aeaf73ab000857a6b8d0907ff3 |
| SHA512 | 85c27fdc9a2cb9310bfbb05d0bcd668eb2156a37765d8fb59496739f6f1eae12afcbaadf5eea8f2db2ad8c8a0602f83500bff9cb71a429174a80bee16ec10118 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\el.pak
| MD5 | 16bcd10bc81dd8a5b3ad76c90cfb9614 |
| SHA1 | 240395860971fb9205d28602d4d4995007ee5c75 |
| SHA256 | 6a06d1d6b566214f7c3b693052beec488f7aae5ceeca26781a5d66fade39388b |
| SHA512 | 353a26b21848f4dd30b3aa1f4196b23571e177893ec6912db4570493664ed987e688fd66c04e509ecc58233476ebe59453260bc3569136f275fcd681ae54a174 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\en-GB.pak
| MD5 | a1aa885be976f3c27a413389ea88f05f |
| SHA1 | 4c7940540d81bee00e68883f0e141c1473020297 |
| SHA256 | 4e4d71f24f5eea6892b961fcda014fc74914c1340366f9c62f0535e9b94ae846 |
| SHA512 | 8b6d67e09fbe7a2152a71532a82c1e301d56cdde34b83a9f17d9f471e258b255d5b2d4a0c39f38581da3a31cec24fb403156a8e493560d7206e1ec3db7e68b72 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\en-US.pak
| MD5 | 809b600d2ee9e32b0b9b586a74683e39 |
| SHA1 | 99d670c66d1f4d17a636f6d4edc54ad82f551e53 |
| SHA256 | 0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb |
| SHA512 | 9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\es-419.pak
| MD5 | 088de6d12071ea5cf8d4a618ed45e7d5 |
| SHA1 | f12a76d18b84b17906f5f8cfc78cbb370b026b09 |
| SHA256 | d1019c780e836e0c30fe01928d23ecdd0ca04ed8ee886adb3428e3683e4ed6ea |
| SHA512 | 8da7326cf99cce53d7ccbec0c177ff9cf6dc0009431d6c89b3e8f0475bbcd0dac4c888460b535c1070ced62f1bf1c614bb0fbe9c5583e66c42f30d6e025ed7d6 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\es.pak
| MD5 | d584992a0670c5771147c01266d17362 |
| SHA1 | d6e70e43585564d520e4b1777fac0b1e7bc6ed37 |
| SHA256 | f6a01c26bc18dcf701e1d4b6ff76602f14c4bb9adf9dd176c9107d5aedb4503f |
| SHA512 | 39db436a05955a3ad3b54ace4f2f0e8a313797d3ae8eda9cf1cab6f2ea1edba0a82c30f3b589b8c5399ed06e9fcf4ce9059d3d5a07472f05ab1f0819e42d5b73 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\et.pak
| MD5 | e7ea23d6304d5d600d884f4e3b3cb2d7 |
| SHA1 | 99fbef7eb1bde7df398cce9faf6c7c357769334a |
| SHA256 | 292eb18ec61502b0e952b447f73a66143c56dd95f170981945e5aab53a6b32b3 |
| SHA512 | 23dfa1161d11faf440241b1f48f2ddbc8ec086a8e18da351734656551f0f54fe4c94b490c0d3ecc378a3de7f7713a1626a7a6c21da2500b9597b44fd08197d50 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\fa.pak
| MD5 | e2bee9eeeac231de237100fae0aa77c7 |
| SHA1 | 5e5eeb59656e2f8f4f62bc618966d38cc06a385b |
| SHA256 | 7a856070430e3cfad15b96b153b1cb483cca9a1b9a43453df3707b09c748a3f2 |
| SHA512 | 5593c4a48e679f0f6283c3bca69838f581b6f928cc7170737778458393b6b85fab0e6ca390bc5da840f4b79de9e638015bf341c1a95e8f99770886f5354ecff6 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\fi.pak
| MD5 | a9fc339d49ea069bd81380ae1fa0ef11 |
| SHA1 | 5f376072f38e94e252d72c5660d8120a41d73469 |
| SHA256 | e6454458dfbe150112c37f8b02f8c72c593af22e8be16980ebc854ad113fb763 |
| SHA512 | 3bee6723485a9eae4aa9bfd4e7fb490ce7a0aa12cbe41443b8bd28a26fe552cd31f4a1487bd98c6bc7774df1ea16b1de94ed0f52af59baf9e17b3db815404c4d |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\fil.pak
| MD5 | cbb431da002cc8b3be6e9fe546cd9543 |
| SHA1 | 19fbf2715098fc9f8faba1ac3b805e6680bbcca4 |
| SHA256 | ab107369d45e105a4cb4f2f6bc8da2a8c1b6c65d5e94a7ab3e703e619c083dae |
| SHA512 | 3cabbfd021e5814587dad266c4f5c9f624e9d9278f22658dafd65ff2ad2bdc5f6df8a8672614b296cea826819211e12f8e77f183007c0a79075e2f0980b99911 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\fr.pak
| MD5 | 59e1e573153a209c56ae3bcb390b898f |
| SHA1 | 45f8a5469651c032c453b14bd68c85cdd6c75fc2 |
| SHA256 | 976622fb851378f57f81423e5625e40d0753d7a5e34caed2c39e4b130a3427b8 |
| SHA512 | 91f1b88ffb9f3362fbab7d607a68c4ca65e6b89fef7de0c986067ef7fd013c0ce35bce328ff3546cb7aafc296993e46a908ac506bb6a141088cfbc5ead948ba4 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\gu.pak
| MD5 | a9e6d8e291ffec28551fccf4d1b06896 |
| SHA1 | adc9784433fbf2ee89bcfe05baea21beb1820570 |
| SHA256 | 716ea0433e19edb5113dc8a25ae67c2587bc17c7fb63a93ac473bdcef8f72d34 |
| SHA512 | 3a60002dc6a9008cac78bbc050fc36d1053bfbd21ecf4d0579b2780985d4e7a7aec94483d8b0b8dd7a899b8435d54a27bba68917a23945431183eda021722697 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\he.pak
| MD5 | ec16b50e6575cd6863df282847cac3b0 |
| SHA1 | a59e089951c3a5dcfac165774c68651055b829e0 |
| SHA256 | c3955c97b6998f1806f8871fd3137f6f504bdd091f8bd1ff5ab8cd089474ae8e |
| SHA512 | 3c640430e3391be156aab26f6057e966348dff50ea946a02db947e2316d3a915c29f329faa26725a90af4d06ead7c7fc28cfa7573033b2b9546fd8e4d2bb7ab1 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\hi.pak
| MD5 | 18bdd1d8d1d5c6a5fb2678abaa1ef6a9 |
| SHA1 | e40602e86e758a518ec70bb6a9cfa23107955301 |
| SHA256 | 1f49622ec6682c90e03fc42c319074565cf9d3532a2a4e3798e2f6cc159b2e8a |
| SHA512 | c859118e7c1be0642ba9bb1112a98a8fa7114a00711f578971a55aab7254b1ee9bb3899c852b79a002596f29e02f487267aca7033e38cbfd14c90b2989b9595e |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\hr.pak
| MD5 | d80178f9df2b72a24a7dc58b5aa13229 |
| SHA1 | cda864bbfc6935cb4e3e30a6eaeabbab5264d01d |
| SHA256 | e442d083c32d752d1ef2225d84a4f1a91efab768e86fc63a7ed22c10fbf7e520 |
| SHA512 | c08380fc0c415a529a035e6e9c0eebc719766c656a3d9e3a782f21b4fef320688e1d11de8c3a5d0e59a102c9fbadcc960478a17c534500e137f4cb0e697ec9b9 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\hu.pak
| MD5 | 0b62fc2b60b8a92dc506550339766139 |
| SHA1 | abf0b1ae99ae40d87f86ee04bdba467674fc1039 |
| SHA256 | 6ca150d0fc35492bafb411bbc520f3b34da6399969fa9685ae74201623882560 |
| SHA512 | aab6058e2f41282ac5a9394cdcd503efdeb6b9eb8b9a64cc1215e31a806e60a34966b6823f91a97bfb81656d91ccfef3a226165811e6f4208fa436e1d04c1242 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\id.pak
| MD5 | 6a406a9adb5c25e35c6838828ef30c17 |
| SHA1 | 2a1ea1dcb75217ace04254644845cd038df6a980 |
| SHA256 | af63384cf7d1d39e57decd823dff7538ab2b1e7e36e9ac61238477f7889d1d46 |
| SHA512 | ac7afa288b768a730027db0780b0f7c9f42ef990e4e22751ef1dc85e4841579a6e252293fb04d61b0cb591ccaa5c74d37bbd380afa15308c80ea32070019a361 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\it.pak
| MD5 | e0e5580e8882f0eae4b5b21e6c7828d4 |
| SHA1 | 51e32e51458b5839112ed9dcaf500403c45ac1cd |
| SHA256 | a7f555e7e797e1de1a66cfca8c7b709b0e542ca62e7de96e034701fcef316d0c |
| SHA512 | 1a2a4948a5538158e6dab7ca7b3b780ec7a66a0aadb889fd451e07b32336ea08b88b5d57759e335fa967f3b4bb1282e952b97e496d798758159c70eed2e5acb2 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ja.pak
| MD5 | dfd5ab27c326a1e1f87943a3079a2af2 |
| SHA1 | 3aaa73a6668e1249e4d51c8fa8e0c6868fde9da6 |
| SHA256 | 8260f4c9500b64d541386a8515fd0c9ddef82e3f044951b7b51a33ad81c1128f |
| SHA512 | d701674fb6e19bcdf297b19a9fe3b81c7f446019a8c2fd3e90e19294765b1e8ad4f0e40e4bac65b2db313a4f83eb050b5871ee4d74f9ea372208b7abd76c524f |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\kn.pak
| MD5 | 59e6642f09ce97cfa4a4173413a1b036 |
| SHA1 | 777a96a4aefbe138f26c8697e66633452285eb2c |
| SHA256 | 58d16195170f76e40e18ee0ac2e10e1b73bcfd083821158927a7d67a51bcbc42 |
| SHA512 | 66deb67a4ce1914f5f27bb6423e5be62e05d0a36320accbe653572a437ce033ed5d26858a62d8c57476b34e1718d580f34ab44a3886d8d22d17f642d70f0138e |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ko.pak
| MD5 | cd2310448ba6689cc73d0b2e6dd2791f |
| SHA1 | 7827179d3fb98a5abc2ad38e20d942b83b397235 |
| SHA256 | cba6b7633cce796407821264e176a6266f80c1799ade16bf16893d68144236c6 |
| SHA512 | c3069bab640ae43856330bb8b3a0e0a4ca058a68a0fc03b8efc0ce1dc2b517f11380fbc641221e29b4a527d685ece72107fb83cdb9b539390eaf6a30c21bf36d |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\lt.pak
| MD5 | edb2c872a4fec5367cbe68035ef0ecc7 |
| SHA1 | b4d42bcc83c98dda1ea2ef962d097f6fb3d25c71 |
| SHA256 | 1bd385b780f3d13d41f8cf782a322e37be889aee273ffde3d8959e0ebcaabd0b |
| SHA512 | dd801a1aac2242e3f532e968b4c9639a2c8bf3eccc17470d9aa8bd6730ae4be3e7276fb782c7908bb6f87d3ade20a40c644b9db5d2201d96d91fd95ebdf429c9 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\lv.pak
| MD5 | 393c296fabe0c4c64a7d6b576d7d2cf7 |
| SHA1 | 16c0605e5829cde9738e1cd3344a59b74fa1f819 |
| SHA256 | 91642c04de64f88a5c49b4eeaf5d627554e60d56fc40e7cd58cd2601b0d3dbf2 |
| SHA512 | 067cccb059d4526c104880a26ebf04c7e2498c49c5641abdc91785e859bc0be1475ec58cae9ad1eb076f26fb9215ac246155e123baa13c06a05e4f22a002c2ad |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ml.pak
| MD5 | b690b0f01954735e1bcea9c2fb2ac4e4 |
| SHA1 | 8d98860e202b15a712822322058e80a06c471bb8 |
| SHA256 | 83d187cd70048f4129fa65ba148c74a04a47ee1f14218e7c85b36fe83e87b5e3 |
| SHA512 | 786f08019a0917d0b3f29aa2d1885db6a6f995990fd8faaf41a9630f8347b4d210a844cc6690a41b4af37d60e11f41fd2675df1a01bab5915e20cd9bc69b4541 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\mr.pak
| MD5 | f26bc5673e02a93212220d71cf1bbac2 |
| SHA1 | 8d0ab40fc2b35b75f99538951acfbf6a348c73a3 |
| SHA256 | 0877f2e75e0b9f5e709f0a0bf7cc793a02ff5bbb28bd6a8b6b6012760c1bbff3 |
| SHA512 | 9f3a629dfa116cd92892d120f0fdecc5f57043dad232311bdc8c218ae9317f49e655b8b8dc8399639231f2321013190a667d22b6b2735bbcbc375c438dce9aaf |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ms.pak
| MD5 | d22cfc1b78320157685839f14253fa1d |
| SHA1 | 0cfcb5c176d708e26bbca2427be611ce6609eb93 |
| SHA256 | c7b56e9ca2f75b4414c13144ff4deee1459c2a7cde79730d863ab234cd4c2f8b |
| SHA512 | 2eed40c50a63e362dfe2f172d16e4545f5b19c673e71db674bb004e4e6a4cf793ed4a44ee80d86b05aaa6cc4356c207476afdedc2b35017421ea9b9fa6ebc81d |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\nb.pak
| MD5 | bf9bfdfab1479bb52254329d7aa229ff |
| SHA1 | cd9ff35321731b839ea6e5f31f5de0bfb475666b |
| SHA256 | 96747543d9b2dbfb4482d4c24d7818d366545b2476633ad4fec8cc958ab760d3 |
| SHA512 | ba8e62d0a87c532ff46f2129724dd2f1bfdebd99c2606e0b9608cd07841776faeca15d04ec6241020c232d4c07809d718f40cf4ad9231d6a8996d55973486629 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\nl.pak
| MD5 | b525894276852be4ab42ab7044fa164f |
| SHA1 | d3d035522265718def8125f5c4a1d3e74832dc2a |
| SHA256 | c7a18764ca908ec7f66c48cae2be06fef95213d7a5580b45f9bacee474456167 |
| SHA512 | 36b11f1df92df27b007fd640b589c6b7b30cd889bc297635bdaa40bfcb4332ff20911edfd23ce74c1c8963dd658f77bf4b9af50d3c281717f58eb23a598783bc |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\pl.pak
| MD5 | 7b5d41611b92b24ec8b36b66feb11f9a |
| SHA1 | 3d6c36f404c29d59a24970585931860453f5c88a |
| SHA256 | 69e16e41f5fe7fa18557b938874f20cda6879f3cc616ead9a815c1381fe94158 |
| SHA512 | 16ba52cc799132e4525d220ed595d3969d4cecf163ccea6b62fe2211003b0cc44090c4d384e9cc4e32800181b7f7e0810da5a0d2c908f4625ff8382cfa3c177e |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\pt-BR.pak
| MD5 | 8dabbceb430a6bc190ee344541fa8e2b |
| SHA1 | 44c7da04bac8c9ee67c8d6a0eeb491cf7ffd2479 |
| SHA256 | 6d54f87f6c8b5e01bd0da9a961236344e95e85c3dc55fc92a34542777d6f6275 |
| SHA512 | 4d36d527f1769501d1fce208738028d5ba142716a6243798212d5a2403dc5c950dcb3399e571cf3a11b1f35d845a6ba6798c38074d0ed66c894b1c18ab800159 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\pt-PT.pak
| MD5 | 4816d83e54beaa2f94c671d56361c04e |
| SHA1 | 5cae66c0b7079d778ac87ad48777afd85b172d2f |
| SHA256 | a903ca2a8e52f987e23d040de7403b58d925a6c39668d3bc0822fb2aadd34cb1 |
| SHA512 | 0d3a39e1205ce9366818cb51d38db035b80448dc1e2d2d6bbd7d5df693641582043b45b4a78bbf2334159616187dc85a51e623bb6878b1498d9bc7acd2a6ffab |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ro.pak
| MD5 | 938e62fca60d7b54e9c54cdd1f745f06 |
| SHA1 | 5a61a1ef3ae855ff436c5d7f45b6ec271a5228aa |
| SHA256 | 82e69f505222125ea62f8e90d8030d82a1bd49871192cb4274a8fd9d0e03d577 |
| SHA512 | d3f43881fc951c961cfb34babaa6eba2aa9175865dc07542dc529ab1c11d15703c03a7e8193c004b004d13f0a0672bccb2fcdd1cd88f32add159c337281d6d5f |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ru.pak
| MD5 | 9ef6fd52dec5613f9e80204a84c7f2ba |
| SHA1 | fbb8c9db815126fca3c62c810432a71b6965f2aa |
| SHA256 | d0068b9ddf8a9e6a5b1186bd0e00ed9f09224ed56ba7e653e2d54158d938c6f2 |
| SHA512 | 0fb442ef86f75ca2cf58a677bd25ffb7c420f98250fac7f5f25e2272d4e7dc505a5f3eb3665b62bec189496154b05a1462b6f17a0e9aeafc1517b71e2d813953 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sk.pak
| MD5 | fd001b1b02597bbf16baf3f0baf3c6e4 |
| SHA1 | e4c703fc115e02833fe08caab1e62775b5812473 |
| SHA256 | f9cd222838721a618c23c8f6493bc9699c795c0063998f1a8d506b4b7a297cdc |
| SHA512 | 0ee991da6b8ba1bcc3cc27abc645af43bb93edddbf182496aafeeb401d71ae10716335ee0197f1987c21b3abb441aaac968b9a76e75ae77fcba4cc48847f5b1d |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sl.pak
| MD5 | ff14d5f9484350396780bea7f3bc64ec |
| SHA1 | de097f12b70b552824de69141d6ee1969275eca4 |
| SHA256 | b174c4c49654f7d65d223568c700bfaace74238447ae63171787236ce2aab00e |
| SHA512 | 011bcc3980d21e0900d1da334a28b72623b22b527a4fc3d96a8f78fb055dc87cd1433a63d8b4414a0a86cf2ded5833a395214910b17433a0545e04d1ce4875b8 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sr.pak
| MD5 | 5d70a218b7dcccab0406fa9239ef800b |
| SHA1 | cd231758f84a0d56545d0a234a58757a18a58d0c |
| SHA256 | a2bc6b064ff1f7b15707f61bd76ddd9d889bd982c4182e9e74272d39c6235c85 |
| SHA512 | ef6f71e0d9782b5ed6706d9226c1a7fb5a4323b8dc8de25737c7dcca87d04c16b545372127670de312079be993823f565de1aaaf5ad833bec5baa0856c19b0f3 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sw.pak
| MD5 | 9808a9df2da0844b1ce1a2a4213c48d0 |
| SHA1 | 541f24f006ddb3361ff1e5015f097ab799120fc4 |
| SHA256 | 1949953d638f266ce74d84c020174c074780166b880e7c2ec38bc6047bbb8ecc |
| SHA512 | 66b256e02ce11ea0273cc5bfa78e56faf8b250208d1e868bf4af77cbefd1c891708573d63873a5d02436f884544a6550176afcd3a8220cd35d64b88987e94404 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sv.pak
| MD5 | a813b566c9e630910e6ca946defb7202 |
| SHA1 | 2e25d2479715a572c096ce19b8dfd7a6da5339eb |
| SHA256 | 48a71912e4843b03358fede7176b2e57ced83d3a1344a92b989886374dbded62 |
| SHA512 | b348404135e147cef93c246c826107f9df170b294e9d0cbf576d2812d0ff3d2b7794ab5aba55cf729fcf7135a495d2ff591db62fa61e2998290ff02538a0e48c |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ta.pak
| MD5 | d50aa6815b63aff8c443622cb8bfd849 |
| SHA1 | fd247855e6e428109e7bf2e0018580cc6e0663c8 |
| SHA256 | 6348cc2d385b9808fdf1b815914dbfb26f552da4d10f85b2613a5e6e9f95b8fa |
| SHA512 | 620e2f9ab9998c68d667e32ad9bbfa2569f7a60fbc2a67d7492c6c215af2a1037708e38b4ed7932074d29a140581fe0ffedddb362133a941966044b98eaa50db |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\te.pak
| MD5 | d262c33a8c2b4949dff36cc1980e5f05 |
| SHA1 | e1ad725c388c4a1a386b4ab6170601863c943c29 |
| SHA256 | 09ab1ac2b69f868539d4f2e59dfea8c3c2f418a5455777e4c91d13c5ee55ab4c |
| SHA512 | 0202f6ac32878926422d542ea96b0bcf8b168f8ec6b928121c368711856fd5f4781a24b15851cdb5892246b355d0dd37504d4599b24e9fe8a723b8dfbfeed29b |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\th.pak
| MD5 | a4d1594635d26330ace7054bc025b76d |
| SHA1 | bc4874a6a3b1d1886f05858ef2f653ab3520451c |
| SHA256 | f06a45f0395c3e42e42c46de2c19a2a104661b47be6f9ee97f8c68b05706ef1e |
| SHA512 | 731485b139ba0ed80dac5e582ec36f53a805a867ad33551741b805e851a9d2356fb1894232395d4fdb200defc988bcf6d51e58834b542c398c1012e389953a3d |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\tr.pak
| MD5 | 193f0c0a8218f05657e2590ea4ee6004 |
| SHA1 | dd3ffd7f67f72de879903a231271c20aee56f695 |
| SHA256 | 676d46d19d1673eeff4f5e908aec3b53a6273c440e69e7d655ced6c70531cb9a |
| SHA512 | 28606d710d44c9a82c2849fa5ef989bac1afab53cdea99a825f80aa41dbd38a9ad6f0f44935f45439922ca2bdddc89c61f8ffcb999aa13fa45558551d5216e1d |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\uk.pak
| MD5 | 83e5f0092b6d72403b60fe0e1e228331 |
| SHA1 | 989ed480b7ef55dfc9ccfbef1a5b9b0e104693d8 |
| SHA256 | 29d68d90512ee9952635c7e074d5ab210531d93ae24c11a8f91bca20b685e9a2 |
| SHA512 | 9895928ee516db7d4395b2788135a814031b9ba45e3a837e633bc253b08d6f380e4078d4d3fd51ae37502a39ff45a0166969fb62365e890f4960a51040b20941 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ur.pak
| MD5 | 29403f3d5c8f6ae2a768de2fbe8b368e |
| SHA1 | da83015565980ea1a24f5493be6311f06427269e |
| SHA256 | 2520ba8471c840aa075075524c4ad2bde10f43fa7a1b623aa14555180ecd30ef |
| SHA512 | a0709280adec39633ca19daf9f8bac6c17a999101246778a63cd9e172dbea2f281b20ce197290c4af6c7601ee7956da42f17e31461a1bd8b8a4bce3c36dc87b7 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\vi.pak
| MD5 | e088be14dded779f50feabc4906d5ae7 |
| SHA1 | 0eeca2c7ea82a03b6373c84adf1a890f29e18b05 |
| SHA256 | 25aeee59775ae38b21a091107022312fc228f96dbea906042bf3626b7cf86b98 |
| SHA512 | af9d1e415a6d06c28df9abaae1f337bf4dd3e323dfd5560df5fb35d01c6801b9145072ee85ab4c524c489fb6cdea956ce327b8c4f6820197d76fc2f33171ca3d |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\zh-CN.pak
| MD5 | d1145f2dcb13c5ba797df5a0792553c8 |
| SHA1 | e8d9604300d6413fc896d252a0261be2dfdebfbd |
| SHA256 | 6a9a1f5b7674da36f20cb76af7e3e75e9e56873539e8a3b32895ebba439af83a |
| SHA512 | f54adffc7d40866fd53dbb238687116d46354f79580877b5d4d93840494e604deaeaeb7e825f6a00d020f3c58d1fb9df8af667feb64c86f243ecab57765623e9 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\zh-TW.pak
| MD5 | 1eb532e97b84db33a50055bbd7d36200 |
| SHA1 | 7aaf0560a16a9754059871a000d237964f3ab0c8 |
| SHA256 | 6a43c8fac5a0ce7c7a21b30ac7bc2167488e17c81c76c00f0b92b49e9e46e469 |
| SHA512 | c946d82bd6ced6e61b35acaf7ace1a61f226c4891caaeeeec9ce4a3ab45e6f43c35dbb388d6d5fa925ed020d7d10f951fa2048269d0585ad3b723f5ad8f4eabc |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources\app-update.yml
| MD5 | fb01b9479a97014234fbffba6dbd7811 |
| SHA1 | 677cca903beae0ba830e569bfead4f1a74f52bc6 |
| SHA256 | d7358a93f52b95baa21cd49d81bf22c3edcc2169f9d1728dd70a7af0af212f4a |
| SHA512 | e805b927e30cdac3d5a0f65a15d2b91dc6a511c05e08cdce676a9faeacc88f86ffbdf8de6b63060b71edcb2f8fb85d3d627d37a8b5f0aba45bebf0655f61be4b |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources\app.asar
| MD5 | 8488d87d5583583c6372ecdde6b64cd2 |
| SHA1 | 6d7f9720b24b07c9087d38674d1e37b6989cfafd |
| SHA256 | 5a9a9f286c51fb365afc04613bef36c4f370fe6f2e01308be1774ba33d883f9a |
| SHA512 | 94d62091c80902245113660591fb886227e58b5aff7eb80c39bb3d83ddf1710cd01e913019fa13406e5ce5263e9d749b915e4fff1f602ff536301829b58d168c |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources\elevate.exe
| MD5 | 2d3ec665d71416d626ced91da8d37355 |
| SHA1 | d37bc23baeef03b666b5195642ad8eb1df21680b |
| SHA256 | 0adae91d34d9458948cb661ddcc12e5a5bba12e5ed853d577265fbe385e6c228 |
| SHA512 | e87d1321180e3d977d37d9e597993f22dbd39bc2c25d34749c650b8107e8a3ecaaa55ef79e37aa80904b9295a5f153aad46b08a6e8de49e15b0bf5a3becc9a7b |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources\binaries\core_module.exe
| MD5 | 0adf3331e34150110edfacd3978db8da |
| SHA1 | 5a73b7177ec2e977ca2b144e0df6d9d61c21e990 |
| SHA256 | 577d16975eb070055a706043dea10d7d2d60b576f34fc729e40df5703569529d |
| SHA512 | 4a501c55ac9afc0fb00969a628abc305a4290f77df1af337ea61e0a9ce3627a66f8b86c93b9a41f3323ef20f029ebd936d722358a38876514ef3f8f3200b6053 |
C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
\??\pipe\crashpad_1876_UUWVPFDUMPOOKZUI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data\gdl_conf.db
| MD5 | cc3733801ee562c3dc7054fe86f90980 |
| SHA1 | bfd8aab5ad354e107aac0b44f71b4da5bf2d273e |
| SHA256 | abfd86d6a3a00ed4516cc623069f7bc63c8b7cab74b6ab5488261914b6a31265 |
| SHA512 | 074f4d6aed5ca12f9ae57e73851bc091b2d4b097c35882e306e65c8308e29456c711bddc87e2fbd5aa6fa628ca335a16fe56423cd1e873aeabce64b244cc2a0a |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Shared Dictionary\cache\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
memory/3708-672-0x00007FFCE7E00000-0x00007FFCE7E01000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
memory/3708-671-0x00007FFCE7C20000-0x00007FFCE7C21000-memory.dmp
memory/4180-746-0x00000229A8680000-0x00000229A86A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fz2jmxi3.kmn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4180-777-0x00000229C0E00000-0x00000229C0E44000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Session Storage\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/4180-786-0x00000229C0ED0000-0x00000229C0F46000-memory.dmp
memory/3032-821-0x000001F0AA770000-0x000001F0AA79A000-memory.dmp
memory/3032-822-0x000001F0AA770000-0x000001F0AA794000-memory.dmp
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\owpm.log
| MD5 | 1bd6124e372c3579fdc832e0d7c71489 |
| SHA1 | 54628e60940308adfddf5f25b7efb37fa38e26a9 |
| SHA256 | aae0a7e01e71e413ea693b351e9ab0bba096ff347fc6c79ddb6de699774a7434 |
| SHA512 | 39f578fd52d37815cef0e2c99871aa7b583225d320876087050c76c8aacc0a3f6560ecac620a1718af1f6155762f72062ec28b83ff2b12a305e2b2952b694267 |
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk
| MD5 | 9c01e71fd87f8548f1433a01bd41cc01 |
| SHA1 | f3961505e96038d96f0f87f3e47f5e49e66c390d |
| SHA256 | cefa09c7f9c0309fbb3f49ea34cae8ccd095d6612f3fc1b9c8e1912e1ad44d5d |
| SHA512 | 36641fabf05de49e1bb5f99acec7dfa0388dae44bab1e564b70d47512ec059958b1109a67454759021593826b4c1b605021047385144c79303fce1a5e55776d9 |
C:\Users\Admin\AppData\Local\Temp\JavaCheck.class
| MD5 | 8098d31488cd52db41f95188b9daed5e |
| SHA1 | 76988b607c667c86211fe1dfe57ed4aedacc5691 |
| SHA256 | c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5 |
| SHA512 | e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78 |
memory/3548-853-0x000002D3A5210000-0x000002D3A5211000-memory.dmp
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\2.1.3\ow-electron-utility-plugin.node
| MD5 | 2e8dec2f5f64f92ee8a906817dfa20f6 |
| SHA1 | 8ceeac10c096e7e0dae87c1b5283c3d66d421652 |
| SHA256 | 6b6b2c7784b4b3bd2f9709df3093b49197005e047e74b0784d80482e1cc17fab |
| SHA512 | 8e17acf0cf73836eef6961d1ec3e3e91489ae8b933c33b96812c5bcde908c9ac5a812cbbf19b41489bcaabc005fd51550b3f277c6678f6026f3a06c3b824f617 |
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log
| MD5 | ce732a2fa61c19c56334c2f325ebfd6e |
| SHA1 | 3f0217ef66db1b8dfe6512c17436e95276ead71a |
| SHA256 | 1d9776bab140d49fdd6c605df6b2ca64d9dd6bf21d0115318d6aa0f3cd739531 |
| SHA512 | 2a2a0a037216abe67e906dc3d3178105effcf66cb3759362ac9ae9c0619f7e732e5e0218a4ebbd518a1dca0f582aa192f8b560f90f41c0792d9311e690072057 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6e8a22d25f5b76a8d6ec8aee6df8be5f |
| SHA1 | c587d7d3db3925a4a74782de196b7b05fb73e73e |
| SHA256 | c12f1de062291c115fd4af16fb0b5236d75e063d65841f5be33d35018812f5fc |
| SHA512 | 76b9e5729d65622b8c0e1e1292a92c6df3021cccf0516f9f19af0dac23514b593296d445111071912b2d5e7afa184707f3b189d955c9e77ba4226fc1be0aa7b2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 432f9dde51413638aa680afc11009cee |
| SHA1 | 3a457e5820bae4e2e8f4c805e020e6431fd90fcd |
| SHA256 | 882b1f9d2025c7bdd95f6bf95011745281f84b65326027b5ad7903e67cb5ca65 |
| SHA512 | b3a7be48d871b29bc995bacd66d66cbc2def0723fe232f3b58826581954c30c95c8c235ab63d026b576294ca7ab45ccded9a6f35a7121f311f71c429cbf59549 |
memory/5164-915-0x0000026C4E5D0000-0x0000026C4E5D1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | c2d4077a43b20375e0e9f7b6856c2af6 |
| SHA1 | fbdd12e9528e426f5b7fec0667df469f48c9c379 |
| SHA256 | d0c25cdd4c7b5477814dfa8502952c3b391050db5f94cd24eb2fe4a3719bd501 |
| SHA512 | 75c755d81cecf5df5fd32c8d5ff2e082562580e024b472c09a9803dee7ec7a13b5361810882d52ad4c24a200a230cf2318c7222dfef25fdf0f04ae0d0f9d3a4e |
memory/5512-927-0x000001BFCD1F0000-0x000001BFCD1F1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp
| MD5 | 11e67b2f528354eb6fae067de3074699 |
| SHA1 | 39a03e11abddc42ad4ce4c990a24c75f8d978f15 |
| SHA256 | 1aa6c0ac6bc8f7ad17b13c1ad6c0002d022a2ebfdc7ef498facc8584c08af1cf |
| SHA512 | 8026e91a2310a273b18d604967896e13ff3554482d048adf1652b6a9b8af9a3d87b1be5d9c7357e082e09243de0ac7b679c14b9e1dd4833a7a630cee86f2ae1b |
memory/5648-941-0x00000220D0A50000-0x00000220D0A51000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | f42e1e6d259a95af3f49991af81f124b |
| SHA1 | 95ee9ff50383ccbcf78a7638488f2fc91722c33b |
| SHA256 | 6800855fd84cdf74bfb14afdf727a752e517a56fe006f4bc85895b823aebce69 |
| SHA512 | 78a2a415d4b22f48d6dc92af3297bdd12eaf5552c52c3108461e556037ad066326ef01d97d4eff8042890ff7cec8747995b977e886cd7ce21a3db509e8bc9249 |
memory/5776-954-0x000001EEE8460000-0x000001EEE8461000-memory.dmp
memory/5932-965-0x00007FFCE7C20000-0x00007FFCE7C21000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\sentry\scope_v3.json
| MD5 | 010e9d4c0263332b840556170175c3c8 |
| SHA1 | b6799b43d1afed2718e7f73e28ad3a0d514c01c5 |
| SHA256 | 69ef9cf4c3df04958c50671b6addc03f7b050eea03f2b22fb42f68082cd6cba1 |
| SHA512 | 70b648e6f987fbb6121b335fdd7e639cfd87212c93a5a3c54492e4d0dd518b7fbb77e5435f00cd3f0e24d11ce5516ad8e425bbb0b9e2630a581ba1b0990e6d48 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\d888cd93-9657-4c6e-9d0a-1bf675704a4b.tmp
| MD5 | 58127c59cb9e1da127904c341d15372b |
| SHA1 | 62445484661d8036ce9788baeaba31d204e9a5fc |
| SHA256 | be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de |
| SHA512 | 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State
| MD5 | ad32a4cf82513192be2929a0e88bae45 |
| SHA1 | 00ff93f3a28d6095086a554df64db95942ce1051 |
| SHA256 | 6e7e94adb8cc523a1fb17dda00aa4b232d06c85f055245e2286177dbd49539d5 |
| SHA512 | 27cea34cb799697d5e16ce6cb08772fa5118ba7c05fd5fcee99f7f6c6c5b3cc9ac06ec01969a13330543e9a448adf8a6b1e1bc41a8bad56b5c0c855dbbe83247 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State
| MD5 | 12e2526f9d73d5245734078786433c10 |
| SHA1 | 817a8f55d3a0f36655c5fe02bd30780b7975d1af |
| SHA256 | 38737a9d2f24e922a2038efe386068e33f124e3be03bb8cdceab6dd14429e301 |
| SHA512 | da6054b7d94dbdc86c196238fce3ced6e289eef1193aa0d31ad5846325c9b7da912e828f681be21b576ffb47a3d9cb293f19bebfc7c8c40d51d0500aa12986f3 |
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3392 wrote to memory of 4500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3392 wrote to memory of 4500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3392 wrote to memory of 4500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
148s
Max time network
159s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM32\carbon_app.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\symbols\exe\carbon_app.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\exe\carbon_app.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\exe\carbon_app.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\kernel32.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\DLL\kernel32.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\ntdll.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ntdll.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\kernel32.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\dll\ntdll.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\carbon_app.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\symbols\DLL\kernel32.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\kernel32.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntdll.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\exe\carbon_app.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\System32\kernel32.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\ntdll.pdb | C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe
"C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o4504152598511616.ingest.sentry.io | udp |
| US | 34.120.195.249:443 | o4504152598511616.ingest.sentry.io | tcp |
| US | 8.8.8.8:53 | 249.195.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3276 wrote to memory of 644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3276 wrote to memory of 644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3276 wrote to memory of 644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 644 -ip 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-13 10:07
Reported
2024-11-13 10:13
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5052 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 5052 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 5052 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analyticssec.overwolf.com | udp |
| FR | 18.245.175.10:443 | analyticssec.overwolf.com | tcp |
| US | 8.8.8.8:53 | 10.175.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.rootca3.amazontrust.com | udp |
| FR | 52.84.193.90:80 | ocsp.rootca3.amazontrust.com | tcp |
| US | 8.8.8.8:53 | 26.200.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.193.84.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | 3803d1988a2ed4d222c031e63cdadeb5 |
| SHA1 | 12a51b8f3d49acff38a58db6682b0873732694a5 |
| SHA256 | fc026091f9a61b503d159f8bcdeaef75fc5603a02ba79aab6693992314b77b37 |
| SHA512 | 626aa84e5820a67bfa7afd4d4ed729a33022b7fb23542b563d56fc323a496fe0b759778580527ee8e3c667f651ed4c1e75710fae4aa4e4b84bcb86156f5c78ff |
C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\INetC.dll
| MD5 | 38caa11a462b16538e0a3daeb2fc0eaf |
| SHA1 | c22a190b83f4b6dc0d6a44b98eac1a89a78de55c |
| SHA256 | ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a |
| SHA512 | 777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1 |