Malware Analysis Report

2025-01-23 13:46

Sample ID 241128-3fwdxsvke1
Target SG-Studio-public-win-x64.exe
SHA256 85e84b84f9de04e7e94fb5c47576dfeb10aafdc3e08221b2f619aecdf135cf7b
Tags
discovery cryptone packer execution
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

85e84b84f9de04e7e94fb5c47576dfeb10aafdc3e08221b2f619aecdf135cf7b

Threat Level: Likely malicious

The file SG-Studio-public-win-x64.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery cryptone packer execution

CryptOne packer

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Reads CPU attributes

System Location Discovery: System Language Discovery

System Network Configuration Discovery

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: JavaScript

Program crash

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-28 23:29

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

135s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh N/A
N/A N/A /usr/local/sbin/bash N/A
N/A N/A /usr/local/bin/bash N/A
N/A N/A /usr/sbin/bash N/A
N/A N/A /usr/bin/bash N/A
N/A N/A /sbin/bash N/A
N/A N/A /bin/bash N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/local/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/local/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.8:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240729-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe

"C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsj4B92.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsj4B92.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsj4B92.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nsj4B92.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 220

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240729-en

Max time kernel

85s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 220

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:30

Platform

debian9-mipsbe-20240418-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za]

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:30

Platform

debian9-mipsel-20240611-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za]

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240903-en

Max time kernel

118s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\7zip-bin\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\7zip-bin\index.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240708-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:31

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za]

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:34

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/bash N/A
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh N/A
N/A N/A /usr/local/sbin/bash N/A
N/A N/A /usr/local/bin/bash N/A
N/A N/A /usr/sbin/bash N/A
N/A N/A /usr/bin/bash N/A
N/A N/A /sbin/bash N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/local/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/local/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:29

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

0s

Max time network

2s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm64/7za]

Network

Country Destination Domain Proto
US 151.101.65.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
GB 84.17.50.8:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240903-en

Max time kernel

134s

Max time network

136s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438998453" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A70D6071-ADE0-11EF-94CC-EE9D5ADBD8E3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000fad0fb3bff6c57a991495d4a8a88da0a6f3d186f1f607d86e3ec27739f4e5fee000000000e80000000020000200000009fa752b4df0f24d61d29cd196bca62f5867d87a8924f56c62ad057dd93c04e0c2000000085ff8bf68fff8e922ee081064b5366120c57d8637d84797ac6130251be1cb4f7400000005b9eb2df3e77fc5924169a143f104d5b19d8257b9ba95dc0f570558223bda5c2ae29e1293f4ec09ae8f3de67c4b18ee2d78532c0ba025ad3bea3514b3a083541 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0690d7ced41db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000098de97c8a5f9e3be1ee417ef964186bab8ef520b12557ddb2ada08e9d76cfa48000000000e8000000002000020000000b53e3964754456777ec15e176b862df2ccabb2a9ac0ea6022d662b9b6364905290000000f8f98edc8ccfeacafd537afd915fe94e92e161986b21b0eafe14c55d757c61467aa9855f6cb50c88d28012fdc48e208517065f2b61f25b4de4386af90c4f5f0fa3679148dece8df4666955b9ad30190f56c6b687e75a34519bcc3096a51ec4be4a79545e6798b821584f94ca205fffa33df5e473ae5c7e83d9556b138d81a806b3a7b00cdfd5573f1a1a081679253f924000000044d327b7a191654033a9afb16470533c6376ad860efb72e665171d87196decf796d0720ca38f1ec0dda12b931bdcb32365a346fa989c12f0dbfa319804ca3c57 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab985.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9F6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cb6bb68f0f6bfd0445f869c90b075af
SHA1 a7bba817ea2fcd28cae71b81a9575f75d112e1f7
SHA256 9d4fba9a36aa4a2f7255aa4cbd0a17b946f1dea5d0b02100161b08ad142a8d5e
SHA512 5f7f92729560476a722f957c3152a056836fbb5908d8e276294e52abf391c3ddef003d975b2039887328ff0896b967280f2d53a4c1f21a9da0e160979801bcaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9e69046076a90e8bb621ee943f263c3
SHA1 99a8573df1adc1e74e1ed14bcf9a2c5ffd6d61c6
SHA256 40bc73761b02040dc1a2510f01c3f81cdc0de06497bf09d96240830ae8b29e0e
SHA512 ef2f61c9af05acf91b2fe4a2a1e95a453adbba117c4686bdffce17063d039313ecb7de34a6bd32424f3867d9a069b045d4bdfc1d52440b25942a4ad27a1085e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 536f880fd7c950f7d01faaf3617593b9
SHA1 0b45e65e66d316a46d5cf17d8423ff733773b8df
SHA256 d440fd25ca460f06d094e211531c1f8d4451ffa3e70733c6ef6c840dec07d93f
SHA512 afb4e588d5d7209f756d29f4f26cdbeb0201de6786a23696ecc2cfd9568287f10f2f0af126b0d247b4b532051a8d16dd6e04b05c8223f2f1fa29545c41b77bcc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 358f5c000b946611268355d6ce390399
SHA1 4997743731b1d342c627273f27b3155b7ca76a8c
SHA256 41361e59240d72d94cb42c45afc4c39ca1a50ad25800a1be32dd6ad1f505eefd
SHA512 015b2aabc3e282dbbaa4c941e481a445cb25e75e1ba8f194cb8c655feb232de79d09624be12541a30349d0e9f44c0f61e03714b95af9ab00dfe615f2b637fec8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbb50779e6b2baa6042be61431042fa2
SHA1 82e6f2e05a14ebd3ba9e3a1b3110b872a64e3cef
SHA256 fdc45281a38b105352cc7d6aa6e4814162eced9c08998686f724ce06c1e6f299
SHA512 3356856b8a138b8782e2fb173d1a537e1f153f0ca9952c265c47ac9b4b737c467557555a403806d028e1d1c0a184204317b8e92a128041385485ee91591ed53c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 846687fad08cc58a902a42cb88baa585
SHA1 7510b687ca15965d6b370a62f5977cb7f0a0b7af
SHA256 e13815ae48a25489ff13de1dd3bc1af484d734884e37a068d193ff089501ed8f
SHA512 fa3369ce0dea4c77f20a0bade3bf40d96156239aef505e2e94368eedb078c5af3b3fdbd0520ee8c798e222e3c4c3b811b98031ea311d212898645059315cc759

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7507d7663d8e580261fb8dbdd8fa5cc8
SHA1 b874e2905c8dd20565676f0c191963241a9128d1
SHA256 af516ee0c67d19f5bdfc88af5c106ce11d89dfb6ff72199e9752d98bbd3a9069
SHA512 c6a57b08fa30f2e53a5c0fc101edbeebfbedfa43f17ef5af7898bb65793f7994566e3ad777d87f926babcfc2424d6612f13382ad9fe06bfc683a40c5fb6ade65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d22e2e4169563871c4e78ce734b96f50
SHA1 0728fd744489131b56bed54821b767b353507ba3
SHA256 980b698e599e1a1072777c850b4ead6cfd203042e3c7e43ce684dfc6e0ef7134
SHA512 f41565d5a0569199d1c7493d83d39496ed35ed58db3cbba86c98851a1f17e23d593c9e1b6f76d88a939b4f2c4261fbe1bcff29fa0161580e9e2d58d1f0cda45f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6295838c48099878b92dab0bdde82bc4
SHA1 bbbe8c16aa4c98d14d5cf7c0c5f91f5f2005e57d
SHA256 57df0a49ef592c7a6cacbd6585c81665338f50cef1242f01ea80612ff597111b
SHA512 32a49a2535647b617132c508334fe085611772a56a01cdaf8b1a08ac1bb473df84a0f2f83ab0868b70e9c58d6fdfd08e883cf8048a12dc4f736a58db45c70678

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50f6ffb4d866d6e80c8d27dbe1c5e008
SHA1 d3341ab0fdf0f05a6903b1f38d4e2fab48059689
SHA256 692910bb0c5c09ee8a040d3bdf026904db12ad143ae85cbfe4483c2522f2af3d
SHA512 2fe4f0f94a2f99fc39797ffcfb44cc1ba3e51443d199763728b2b10afc69d4502eb3c1ccd130b61dfaca59d7a1a33d29d49ff12724bebd4881dd519b512ef5b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8ebe50bee044eff5c4b8672c2b5979b
SHA1 8fefd38e2de189de1d04be8dd5e010d0c8f7620c
SHA256 19b65f045302836dc2c5f9489fe239b67bc8eb99eebc024094f7ab61995e9ba6
SHA512 c5ad016ad7db60d04ee5d3483f61ae688214819fb49ad465cf227415d6f4458420d7ac7bce8688c3d15688151ad3e212339d11d784819616b7c84cf02b2c347e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7139ae4e451cc877e5276196a1b1f6e5
SHA1 ce2fe38b8e543c3981213085486c0b3320db586f
SHA256 9fa670606886c4ce0b7217c4f3121992d038a73b5c9ba50b5d94356c476c82e4
SHA512 1ffcee71888b9fd014cfe15ac79a277cc94d3555e6a980fe829259ad85ef89455297fdbe270e87791658f8e73e22fa6eeb523f7becbb89a12d6ae161df9a36a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 687bead83413bbce4195ff3b211cb37b
SHA1 c5bc1850aa1b486d8ca2db3c5ee98f06000fabb2
SHA256 1485b289582037d7788f57600d26b7e374d37027e3a1a1d3344589cdf35360de
SHA512 59546b9c909c19a86612fa49e0c92281873e29a39c5b536d4ca05ba9675cdd4de320d40316d0ab909ec463cfffd9e9ae5f235764b9317708962d3c5f8fd089f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20134652560d97fd969a83def58a75be
SHA1 c0f4ccd78de0a4b5507be490207a5bcdad4d186d
SHA256 079ff435d1e6ba8286586a41cfe9a673e353d46a0f46673f1220f76be510494b
SHA512 d8ec507696c9a633181f32b2879233f2f8e763d345115ef05a51b4d3bc1ea567502724bfc947344a37836d916b013c6e7dba92808df2d4d0faa3de1ad34f9603

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc3e6630a19487910d92f610fb78e7ee
SHA1 b222b68e69718593afe5e60478cb977d8e2a71dd
SHA256 45a90dd108487f6487b9617cffbeb58c6782d5356159e6fba84a7be15cb08eb3
SHA512 c4a7ba6d72ecd77f88ab72882ff866defca900b8afec3dcca294e74525ed413143c74be726f4607c67500351e113bf0de1bddd9d8a6cd5ee56bdd56d0922f148

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 639809b860d2d84447e2c575436dac27
SHA1 0c73e60cf1838052801da0eae9b32960de671dda
SHA256 263384e75bee217cb197bbf611f3b6e96102c7a712e8925c89e8e5574c4ce64c
SHA512 f8eee68c0f02e003e25df06ab9b225ad3a0c3be25f866190e364ce6a8cdf6860a4b9331d376900c489b10875356bb23b47b78d8887316606ac877a73dd6a9f28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 761ded8915f49466ff4625d86dd5ac2d
SHA1 7820cd986599e7ef4ff712c1bbb0d97b2af14661
SHA256 4a7bbb1b5ec843f5f770a1f33074df30007509a51aaa528298f6e7e2a951a1d4
SHA512 1af4db41ea78568151bbc1ce19d3bb6c073ca678a844fc68cbaaf3961944550cfb20993bdc7f843c6babd3abd96e27bae019f9ebee2b0b80d3d8f670f92b9cbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97850a3653202db5b5ab5d1073e7615e
SHA1 209be8876a857c31f849dd8fedde97eae5bdf94d
SHA256 dab8d28b43eb1aea127fe9182db50e0ac0893df5318f0a69d7ad06731a7918ff
SHA512 48c644e9df5c009daf4697a916c414f97585a1dfcae269c4244d237b896d3db6aca20af954387145d1c9403545cffad70534aad11175df4832da199bf039b2df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7128732e000781bf88c052927786b06
SHA1 3f0ee4def22f050b54400fc9647a93f13fa9698a
SHA256 34399a19d5dc899c25320d8e639215a173b859a63c4b3aff9cae7a734421efc3
SHA512 49d7849319656db28a71e6b17630eab8e473c21c99a6aa1b84f9a7876e62b05a1ab0b6372cad7199d74a315c43d6117865bf8302fb5401dbb3f4b2f95b1ebdf6

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

161s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 2516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3476 wrote to memory of 1380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff270546f8,0x7fff27054708,0x7fff27054718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,16604711451019800529,11187699533879392670,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

\??\pipe\LOCAL\crashpad_3476_RVUEIIJWBARRVUDX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2f25380ccb7dfaf8518204b1285ca534
SHA1 fefa8dccdc452b5497d4124c719f2c71bf746b61
SHA256 4b70de241473975c5243d3b031054275fc8b4736f3b136dcd71e54c7e401216e
SHA512 978b29efe2123d2ea5d6375d7197b6812f4c0840fd3ec5497258bda1bff9975d08ab8d9f39f219574e2f1a46c310b4282786ffcb703804031a04eed0deffc02e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 051e0f5fe2512e3d56dd938387623877
SHA1 3b7ecf59291b238499b7cc8c0ace6f9981e29482
SHA256 b9d513a27c8e7a6dab19843c1e50f158797400a9e856c9cb563d6f78b3173baa
SHA512 fc46fcf14f57c75aa24e3fad71951d197f2aa59561f89ccc9f67e5caa731a74b3454abf6080e1713f8e552929d130dd056053201986142c220793e2a017e8a8b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 093c6ced5c70496b6d19e83c01447b90
SHA1 532823360469bf2b12608ff325f69bf5e166fb3d
SHA256 fefd6bdb215c13c60e3e368cd4d7bcda05485d5ca0e3e0d1f738245f1ef14ca6
SHA512 9c201089224f1429e341b88de914d2a965369904b865c4c460f546ee3a3df0adb1324407a03227b69f8e63b7543e2b1531c960a0f9a5d5bff6b1e961951136c5

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe
PID 4996 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\SG Studio.exe C:\Users\Admin\AppData\Local\Temp\SG Studio.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SG Studio.exe

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe"

C:\Users\Admin\AppData\Local\Temp\SG Studio.exe

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\soaring" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1720 --field-trial-handle=1724,i,10943989302186317641,346300115829302636,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\SG Studio.exe

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\soaring" --mojo-platform-channel-handle=2032 --field-trial-handle=1724,i,10943989302186317641,346300115829302636,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\SG Studio.exe

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\soaring" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2260 --field-trial-handle=1724,i,10943989302186317641,346300115829302636,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\SG Studio.exe

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\soaring" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3280 --field-trial-handle=1724,i,10943989302186317641,346300115829302636,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\SG Studio.exe

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\soaring" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2788 --field-trial-handle=1724,i,10943989302186317641,346300115829302636,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 npriv.boxmineworld.com udp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 21.79.117.89.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.187.238:443 google.com tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
CA 54.39.28.139:25565 tcp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 139.28.39.54.in-addr.arpa udp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.74.152:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 npriv.boxmineworld.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 89.117.79.21:4023 tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\06d54170-6c9e-4e0f-b926-91533f82398e.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Roaming\soaring\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\soaring\databases\Databases.db

MD5 ff72fbbfa28ddd9749c1bbb3ccc023cd
SHA1 96973105364068a65ec127005d37c674394a1b4a
SHA256 da9904b09d2d6ca69086567449587836afa6c32127da6ba8c5c33482508cb003
SHA512 06e1e770782603e7581b60076930842745a8d2be033115394d4f171e455b10b6fed16c622f7dde0479a63e4142d8cc6c52e0d1c12c324b5cdf637d29f19cc10e

C:\Users\Admin\AppData\Roaming\soaring\Preferences

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Roaming\soaring\Preferences~RFe57b7e6.TMP

MD5 d11dedf80b85d8d9be3fec6bb292f64b
SHA1 aab8783454819cd66ddf7871e887abdba138aef3
SHA256 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA512 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

C:\Users\Admin\AppData\Roaming\soaring\databases\Databases.db

MD5 afbd42878f988bce81d663088f5c684c
SHA1 9959a63697355e1412e1f7e592e5d0908c02b544
SHA256 328adf132baf2ff427f302a4416ced1eda655a5393c936dd79ff0ef268ce29aa
SHA512 931e133f82718436a25b02b6ebf1db26f82f2fdcdf5f5902352596a5bd98c3bbda48df706c761c57ce437aac9dfcf1d53b6d672c5faf5f3fd339239a190ed84c

C:\Users\Admin\AppData\Roaming\soaring\Network\Network Persistent State

MD5 bc0a8288b72886c72f72a766ce7b2921
SHA1 64f93afe8da4ba9fab4b639818ceac6c24bfcf2d
SHA256 b54fcc86e157e44c787b4b5cacd0c2fbe3102754ed4967a097855c0105d0312d
SHA512 104727bfddb3ab2e4283c2d50245890ba70647fbb905d592b45e76f93fea381cc4ee3d8d96ebcf30010dcfb847eb280c5e0e46c1bda9e11390dfd7715c500e23

C:\Users\Admin\AppData\Roaming\soaring\Network\Network Persistent State~RFe58abeb.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/4120-312-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-311-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-310-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-316-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-319-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-322-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-321-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-320-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-318-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

memory/4120-317-0x0000028BC0110000-0x0000028BC0111000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240903-en

Max time kernel

121s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2872 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2872 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2872 -s 88

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3296 -ip 3296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240729-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SG Studio.exe

"C:\Users\Admin\AppData\Local\Temp\SG Studio.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:33

Platform

debian9-mipsel-20240226-en

Max time kernel

2s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh N/A
N/A N/A /usr/local/sbin/bash N/A
N/A N/A /usr/local/bin/bash N/A
N/A N/A /usr/sbin/bash N/A
N/A N/A /usr/bin/bash N/A
N/A N/A /sbin/bash N/A
N/A N/A /bin/bash N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/local/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/local/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:34

Platform

debian12-armhf-20240221-en

Max time kernel

1s

Max time network

256s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm/7za]

Signatures

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm/7za N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm/7za

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/linux/arm/7za]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\7zip-bin\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\7zip-bin\index.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe

"C:\Users\Admin\AppData\Local\Temp\SG-Studio-public-win-x64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq87BF.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsq87BF.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsq87BF.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsq87BF.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 1292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5064 wrote to memory of 1292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5064 wrote to memory of 1292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1292 -ip 1292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:32

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-28 23:27

Reported

2024-11-28 23:35

Platform

debian9-mipsbe-20240611-en

Max time kernel

15s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/bash N/A
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh N/A
N/A N/A /usr/local/sbin/bash N/A
N/A N/A /usr/local/bin/bash N/A
N/A N/A /usr/sbin/bash N/A
N/A N/A /usr/bin/bash N/A
N/A N/A /sbin/bash N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh

[/tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/local/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/local/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/usr/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/7zip-bin/7x.sh]

Network

N/A

Files

N/A