Malware Analysis Report

2025-01-23 13:37

Sample ID 241215-a6n4ba1lbq
Target Alondrissa-win-x64.exe
SHA256 ccc87548032d163cdd832986c0078434b0ab313f228bd3cceacc5bd04f8520ba
Tags
discovery cryptone packer execution
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ccc87548032d163cdd832986c0078434b0ab313f228bd3cceacc5bd04f8520ba

Threat Level: Likely malicious

The file Alondrissa-win-x64.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery cryptone packer execution

CryptOne packer

Loads dropped DLL

Checks computer location settings

Unsigned PE

Browser Information Discovery

Command and Scripting Interpreter: JavaScript

System Network Configuration Discovery

Enumerates physical storage devices

Enumerates kernel/hardware configuration

Program crash

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 00:51

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win7-20241010-en

Max time kernel

122s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2816 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2816 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2816 -s 92

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:53

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win7-20241010-en

Max time kernel

121s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 228

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3296 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 3668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 3668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb688c46f8,0x7ffb688c4708,0x7ffb688c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5032 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 35.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 25.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

\??\pipe\LOCAL\crashpad_3296_QRHCJFVXMLIFLHKT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7cb450b1315c63b1d5d89d98ba22da5
SHA1 694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA256 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512 df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 82ae17445d3d1c0a0f4c9500647bf217
SHA1 42b2bed8a6eeeb7268c66a0d4554ff00cb741f9c
SHA256 2771ae153ca2e49674bb74f4c7b30815945da1f4bf0b86f4317060a8b5d44074
SHA512 d0d738fa0ca4c990431a3d6d82e9c89d1c877015a1b81fcf26a8c0cc68d3a913d596de1177b0415166af054adb98258ef70b3f90eb1cd6913a66662ef9e87a46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 91a3d1ea36ce3d9de0ee5549a0b645d7
SHA1 b4a5a8c5489d5c39709521b029fdcc63cec2db2d
SHA256 3986bc133c04cee725693fb785cf0b55683635056a620ac2338d52af9b9ae76f
SHA512 7d66572132ce12aa37a36a73736bd4705b641f729cd2f86a390751390a162abb2fb42301b54f9ee2c81cd2e006594b2e1b44e108010179f13587232b8a81270b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f837ab251b699c5c82e051a3eaa53033
SHA1 c5f1045058dc49242a27704b1628c50b97baeadf
SHA256 aa2c52e035b638584252ca0eeb12bed99177bfc304f797830b53ee03963e52f1
SHA512 995d7a8543d09507261355ab078d4b875e34e6abbacecf547a2c6c8947ea75e3c8c95901a1850b32dca8998449fa30385e46053ea12a19dbd65428dbb2d4a182

Analysis: behavioral17

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 25.77.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/local/bin/bash N/A
N/A N/A /usr/sbin/bash N/A
N/A N/A /usr/bin/bash N/A
N/A N/A /sbin/bash N/A
N/A N/A /bin/bash N/A
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh N/A
N/A N/A /usr/local/sbin/bash N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/local/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/local/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

Network

Country Destination Domain Proto
US 151.101.1.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:52

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win7-20240729-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B772A421-BA7E-11EF-A641-5E10E05FA61A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0506a8c8b4edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aef8dfd7e59b204fbe94e4c8d00efd5400000000020000000000106600000001000020000000ec478d6909dd7ad7ebfc1ee4a64b18f02d00a2c55e31e3401ce73e720c74f203000000000e80000000020000200000000626b82a2244ce940f1163e61d2303959d7eef0772c9a746976f2f61bec94f78200000001cb2ed48a7a83b0720f39c5ee98e6197937f851098a735af3e2f57fb3b0ad69340000000b6ddd1443ee7bffc1b19bcf8093a844a56adb3437d131907132516b69f1d5837d7d1c7fdf8222ae14f48ce94c1e6112b576f9a98c49162727155a72d023f5a55 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440385755" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aef8dfd7e59b204fbe94e4c8d00efd540000000002000000000010660000000100002000000079c2e397d93451874aa5cca614aeda07cee3cd0ff19f6236fc8df16af34bad0e000000000e80000000020000200000000d3951324677a73d94e8b794083b87aa723f446aa82c72c30eee51abeabbef6b900000009aa841737f265979d9f3f4fbdfd232c044e636765ca3212791e47334176440532c0d00369ffc3ad6ad80b15f44f06861b6232527e241bc1674af4a580498ad53ed15ec9fad54249ff39642ba2e29b3873377c880a6c0904249f5f578b70b5e9e844bcfa122ee2273581878a71c478bd4b41c4913e154f90bd0ba0c18e1c26cdeb7304fae2ddb18281606f6b3bed87e3040000000e33d00a8a509d0f612fc6a27c2fad9584c9891833a514cc8fe9a47e43a4e7140db6eb17479d53cfb26ecf14aab9477a90ce022e69be09fb3249913831be72799 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabB82B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB89B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 405787c88ece0d6bc72dab4c635fd92a
SHA1 c1e043a70d149ca518c5054a4ad22f2d4f352617
SHA256 bca1fc0746f0d589722c52717bf987cb8fe110432f89ff89a4718cc76f6ff9be
SHA512 37a0461cbd8471999b3d05174f9db78afabb2a966af1867b7dfb401b4003ad326fb6b6b9f1b8df4a8f07f0d36ac6a7667d0fae79d135457710c101245f842cad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e02e1c44483a47739715649b7655c2b
SHA1 9b9a55ef8b649989cc49195c6d05e1eb4c1a16d0
SHA256 132cc5696f134498c2c6943cbd530b4a9d09573b1d32518b169a973626d7e512
SHA512 d4c956e6c2baffb69bcf0e625b01311b29913c466669239c81ea0ff096e28632d142b6e1fd864e3d572be914148ce5c4f4007d77fb33cf4e8c6f75cb2919416f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bfd721c41c8a6094750ee71fcf272b9
SHA1 6ae75e6927ba71d06c1ec2f8601578702dcc040d
SHA256 5438b22b72a5bddcb5d3e0289bd41513c6fee01c26e3cdfdec6a8e17b88905ac
SHA512 883927e70cc6fbdb865cc3d5d047a9deaae85bcbe6d845a9d4937123cf877b3e5d7f38af086597de4c23ff98eebfa0ed06c99e378beb8f7d5876dcb4b6787c0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cb0a6a173b5a7bfbbbe2f927e34af48
SHA1 3265800d86bf5175ab7ae84396415258103cea8a
SHA256 86ee1210ccab12898b44b28a409dd0994677de0dca03dc68b9a98d70d5398538
SHA512 8a94a03a3952b959b85e29cd692c6131383762a60c9ec35e65787aea5c28ac362f92cbbf95e4a8aaeb0551d8726a5fb0d3a083cced22a154539b5b106b446eef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b53188c5dae473785abb0c4ead53ff68
SHA1 6304e05bae8d637398168e39e72ed90b4ead2aa9
SHA256 aeaa3c7c006763f16136a09138bd22c3fe8656b5abc83bde18c62b555e4eeeed
SHA512 96bf54aaff8859aeaccd4fdae5feb37f41541226ede76e7c07237ffb85f3c6483a6ccdc248937c603e089cb31a60afc9ecf6fe02f32507a2890984063d906d65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 516e3043d711dda6fdbf192f8c41d124
SHA1 7ae78329c3cffcebffa40f25b1d82d2e5afdfdcd
SHA256 dfe75d1ab733874f99cdee3db30aa94510f80d48eb2d6cd9adc3fdbd7f658e95
SHA512 2676e8e3784eef875a749dea3881b4aa952be97c98a55af01b5e13d99da24c6e8271f646bd6e787e2cfc1c43d28f24951f760212981d99511ce96652ddb71f5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e81e8298c9c249a9798c21d176f587ad
SHA1 34c6454cb74bc3cef8e545ea963cdc8914758014
SHA256 a5c5db62bbbe5afac7f0decfd07dd50ef80bded77ea70490ff8fbca5e9b3e23d
SHA512 0261c0ad2f0326b4992bceeb160ba1433b5fc06be50366131088497bcbb7649e7178a8fee9e53f9f0be5413c51139edf25db06d49beed0572fa0b9b2fb005de4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62595c48d1f2e6618658f5adb9d2a303
SHA1 3ec341a4afaabada80838ab486c08b1827853c4c
SHA256 25c5d131238fb096650a98b41d49daf3119d9297338c966a31be8850387e58dc
SHA512 c9f39f2b23c8fe781846daf128a8fde30175d23b88894bad4aa43179fafbe3aff7f7ddf7089933d5925876472f69cd2f9d8048c778b63bea97efc0460079aa58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4720a7a3f5aaf4708bf4f3c950c19e52
SHA1 388352095587bb08785943f25301d61e85a636be
SHA256 2edce86af72979a3deb72d2b198dd05ad6cf2dce0bf831d55828ec5c229038d9
SHA512 7c82e39a5993f3e68a9f4f65b24dbc9d8f8e98ba2af6e4cd980ccd938d8f99516edcd60a93bb46b527d9feb343ece73a87c557dc1c0d65bd04c28aa9bf1b973c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1e36e730e9b250e2ed2969e3fa91040
SHA1 f8df76e14bc46be92a6cc69603ed77d7eecca735
SHA256 6d0dbe9fa7075f786fdf6e9451303bc902fb121f8f20471445aad9f7f09c653d
SHA512 b4edc65d1c52cff732a862596cee209a26fee233a84dfe40467b7830dee4eab40d3d0ce70c86535b64244ea3eddaa6cb5d2df38633ff0a5145aaa8b6acd7964c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d805120dc67221c44e89ea1b3aa38d51
SHA1 e0d2b27af968a9ab760f25aaf4ca4b24499238e0
SHA256 f3d791274f2ae6e244a8fb526fb102c5147501b17ba9e625d3f1e3f6f3d54b4d
SHA512 36ab33f8a047555e32a94e7d544e3606b1f221e0bfc996ff50af794ffd8fb53924dec63e1fb3efbe2718086912c535b7d733d618b08ebcc0e40998ee45b82721

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6890de1b26b1a2c8382934b96b73325a
SHA1 21065afeadbea4a972940e45774617163159d416
SHA256 054532da4b19616444abdb47d95ed50371f1afba2761f9dd0874accdb0520e10
SHA512 6a883f0b4c8c0580ae20e32f200bc41f95851e685307866551f4059c120b99fa6416443302455849d0b0c40fb680af071044a633afe5bf2c5f2db10aec54b8a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1207f5d85dada8702ea9a8c54bc382e2
SHA1 5ea567fddf93a477d06e0e351ec23f9dff8cfade
SHA256 3486b18947c0c33608fec1385dc25ab332b3e8d5eee7e393ee7a8dc90a8412ab
SHA512 8a23c07ac8a9627486e0bf1b6a31aab9cf5eb2c562b61267a45e95860304935f5f87c5eaca832b035bbbb1f7da7032d3e2b760c3554d1b558a996a7a61a1e382

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdc3fa3d0768148d1997f260b0469826
SHA1 75c0cc30a49610b30e602ad8e7a570083112fca0
SHA256 17bf6fa8f066c1088a21945ff13bde854a7241df05ddd8f01d7bfbb64266f920
SHA512 b29b1752c038c53fc458175d17acea07b2a731b2ad436e23b1cdf0f7ea2f2d55fcf86b17ad52e1f38b9568b4940345e07821bee988e6b11fd5d1e3e3b53f69db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94e58d2b8b789b69606668e8c06559c8
SHA1 5181a548165997d087d234f16a2ffd7672b33850
SHA256 e183d65fc7707b529697949fc811a05e8f6f51edafac0fa7dd2389474370b674
SHA512 c6defb3edacf2e0b7cc0e0edd61f95b5f3b8b7488a8790da7e8d6534af8bddaee34f7c1b42a72e4ee48a49828aaa50be32b7cbe01ce44b22102c74a45d5cfaeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37e0086747edd947ce26aac43331d47f
SHA1 a9687c3d2b53153d50f1d28fe09453fa7537ef63
SHA256 2d2a3adc5d99e7fffbdfcb97b0f02e99846f8d0cc7edbddbea309516d77b3ecc
SHA512 a8bed9a056e6fd508dee3ece10475d36c9276489ada071f6874ab6cc991d86c5c1ac3855060200a6396c9a5bf78b34cd820255afbe1a672ce8e8144b765e7868

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e47269562fbf299bb8d7d6b61bf8d233
SHA1 d7f918747fce16e0ca36d3f41663ef4e8d1d678c
SHA256 632df4759a4aecf41c7e96ee3e3a6df50ccf16a4e86681e4e7320855407d9cc4
SHA512 2ea068399a0f32d1e779ea0789116b5921b5504984a333ff8cea9461dc3309b15a67a837e6e0e678fdb1b37888675945631a2a66cfcce1d702a692bf757889a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc8e489b0c52be5ba561fafe71e61769
SHA1 43f532808cde37f78ca7080c14113e7676aff18a
SHA256 524cf72c8c4781949ce82df13509fc79faefb4e43a0da2a94a636a84d18cf860
SHA512 6203c05516fc94b6819e7aa861514ddcdb39f007e0f5dc4ed2b14ae930e3add4f2c2ffc945e6a0ec2e4991a1c912dd71ad5d5b8ebbe64270dfce30ffab2cb67e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6599ef70c3274135d56d180f6e849776
SHA1 c584e4ab281bb69ddd4a84405a47b251d26ba180
SHA256 f7128ee9e07024c852d57775d8a5f7b621f0e344170b1ae77b77dcbd97f24871
SHA512 35da43fa5c065e214526ae82ee61c6c396ea6789c78d878673b5de261e5d0ee79ba588c274270ac9c568521e83ef9a5acf491efc0ddde4367d4cddc02f9fccc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29d34ba91d047bba65e5d4a382555892
SHA1 3785e7d72fbf65852ee08134cfde44a0c8b2a53a
SHA256 396806e63f912349ca271c2af1bd18ad8dd355b8f5de1085374a4a94ac66433d
SHA512 b0f83c62c8c5fcb63f1f45d75c5503f81615a4459bdf8e4c2a3d715a0c3dc7095d3daf54ae6b4fa491588f3a25d179cea95dbb97216680fa529a718b6e3ef90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd333d7fbb290d3e7f55a51e716fb0c1
SHA1 636583461168d03f9af8540c5e8e72d4bf0bc684
SHA256 2990f1aa521b0f4fdc443bfe5a5f97866c0da9b8e39ac979d9ccad6fa57fe7e6
SHA512 9df1965eb58eed8a002aacc127dd38a848399131de55af03a8b32d1315dd2c5f759510cd0e41a69abce0c78dd88af83771860d362601af95b20916f8d48d6314

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6676984cf5eb595c0fb25cb04f809fb2
SHA1 f654c5cf2d01d5deac685834b35a26812bca90f6
SHA256 36b4ceb6dfef35bb99b8b0d82a127276ed81e85fac7f8ae967f6b93481830360
SHA512 8c79cbad959719ae1a56484ed4cad8ef252b26fe5c475ddd0c5fdab1cd99cfb3311ea4907b38f4d12267d10330b642d341cd98357a6a421102597a4ccf54abe9

Analysis: behavioral23

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

debian9-armhf-20240418-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/bash N/A
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh N/A
N/A N/A /usr/local/sbin/bash N/A
N/A N/A /usr/local/bin/bash N/A
N/A N/A /usr/sbin/bash N/A
N/A N/A /usr/bin/bash N/A
N/A N/A /sbin/bash N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/local/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/local/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:51

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

0s

Max time network

5s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]

Network

Country Destination Domain Proto
US 151.101.193.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 84.17.50.9:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:52

Platform

debian9-mipsbe-20240418-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:53

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 3284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 212 wrote to memory of 3284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 212 wrote to memory of 3284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3284 -ip 3284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:55

Platform

debian9-mipsbe-20240729-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/bash N/A
N/A N/A /sbin/bash N/A
N/A N/A /bin/bash N/A
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh N/A
N/A N/A /usr/local/sbin/bash N/A
N/A N/A /usr/local/bin/bash N/A
N/A N/A /usr/sbin/bash N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/local/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/local/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:53

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsdCC64.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsdCC64.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsdCC64.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nsdCC64.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:53

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 388 -ip 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
PID 516 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe"

C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1712 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --mojo-platform-channel-handle=2236 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2264 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3332 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2452 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 npriv.boxmineworld.com udp
US 89.117.79.21:4009 npriv.boxmineworld.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 21.79.117.89.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
FR 216.58.214.174:443 google.com tcp
US 89.117.79.21:4009 npriv.boxmineworld.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 89.117.79.21:4009 npriv.boxmineworld.com tcp
US 8.8.8.8:443 dns.google tcp
US 89.117.79.21:4009 npriv.boxmineworld.com tcp
US 89.117.79.21:4009 npriv.boxmineworld.com tcp
US 89.117.79.21:4009 npriv.boxmineworld.com tcp
US 8.8.8.8:53 www.google.com udp
US 89.117.79.21:4009 npriv.boxmineworld.com tcp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 185.150.189.243:26308 tcp
US 8.8.8.8:53 164.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\920deb53-e4ea-4b96-8fa9-ccdea538003c.tmp.node

MD5 3072b68e3c226aff39e6782d025f25a8
SHA1 cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA256 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA512 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

C:\Users\Admin\AppData\Roaming\alondrissa\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\alondrissa\databases\Databases.db

MD5 ff72fbbfa28ddd9749c1bbb3ccc023cd
SHA1 96973105364068a65ec127005d37c674394a1b4a
SHA256 da9904b09d2d6ca69086567449587836afa6c32127da6ba8c5c33482508cb003
SHA512 06e1e770782603e7581b60076930842745a8d2be033115394d4f171e455b10b6fed16c622f7dde0479a63e4142d8cc6c52e0d1c12c324b5cdf637d29f19cc10e

C:\Users\Admin\AppData\Roaming\alondrissa\Preferences

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Roaming\alondrissa\Preferences~RFe57bc6a.TMP

MD5 d11dedf80b85d8d9be3fec6bb292f64b
SHA1 aab8783454819cd66ddf7871e887abdba138aef3
SHA256 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA512 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

C:\Users\Admin\AppData\Roaming\alondrissa\databases\Databases.db

MD5 427b942101760a6122340cc18761b70f
SHA1 b21cf399e1c1594b3e6bbf2db91bdb9c73f74bf1
SHA256 67a1b46ee9678a0147f5fe01bc11fc0de834efaa3aeb6248ea3f689600df080c
SHA512 0e3c900597836c6dcf735243ea9af0b17dc54c4e138fc0cc185f21325af6fd0424fc44fbb3a380d4f7fe4193071cbfd029849c8ace8ba4d10624c227b40540e6

C:\Users\Admin\AppData\Roaming\alondrissa\Network\Network Persistent State

MD5 43ba6dba862fddaeddec755b25244fa4
SHA1 2a9c55fc745f614f7d8f8d99d2f212518c5dcb33
SHA256 66f6402798158ec2f0556a3a4af43188f89f50c67eee78ccfadaf7a749c6b21c
SHA512 978bba14a0dd0fd3f4c34f0a2d44f5dbe03976a647e031addfd01eacd7a925858db77563cc649ef72945004b8dfe4cbc81a7da775e698c3a050447d6199b41fa

C:\Users\Admin\AppData\Roaming\alondrissa\Network\Network Persistent State~RFe58b0ec.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/1088-122-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-121-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-120-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-126-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-128-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-132-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-131-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-130-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-129-0x000001451E020000-0x000001451E021000-memory.dmp

memory/1088-127-0x000001451E020000-0x000001451E021000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:53

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win7-20240903-en

Max time kernel

118s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\minecraft-java-core\node_modules\7zip-bin\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\minecraft-java-core\node_modules\7zip-bin\index.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 35.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 220

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 35.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:55

Platform

debian9-mipsel-20240226-en

Max time kernel

15s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /sbin/bash N/A
N/A N/A /bin/bash N/A
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh N/A
N/A N/A /usr/local/sbin/bash N/A
N/A N/A /usr/local/bin/bash N/A
N/A N/A /usr/sbin/bash N/A
N/A N/A /usr/bin/bash N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/local/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/local/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/usr/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/sbin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

/bin/bash

[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\minecraft-java-core\node_modules\7zip-bin\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\minecraft-java-core\node_modules\7zip-bin\index.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:53

Platform

win7-20240729-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1744 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1744 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2888 -ip 2888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe

"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win7-20240903-en

Max time kernel

122s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:54

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:55

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za]

Signatures

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za]

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-12-15 00:49

Reported

2024-12-15 00:53

Platform

debian9-mipsel-20240611-en

Max time kernel

0s

Command Line

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za N/A

Processes

/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za

[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]

Network

N/A

Files

N/A