Analysis Overview
SHA256
ccc87548032d163cdd832986c0078434b0ab313f228bd3cceacc5bd04f8520ba
Threat Level: Likely malicious
The file Alondrissa-win-x64.exe was found to be: Likely malicious.
Malicious Activity Summary
CryptOne packer
Loads dropped DLL
Checks computer location settings
Unsigned PE
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
System Network Configuration Discovery
Enumerates physical storage devices
Enumerates kernel/hardware configuration
Program crash
System Location Discovery: System Language Discovery
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-15 00:51
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win7-20241010-en
Max time kernel
122s
Max time network
139s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2816 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2816 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2816 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2816 -s 92
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:53
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 220
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win7-20241010-en
Max time kernel
121s
Max time network
132s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 228
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb688c46f8,0x7ffb688c4708,0x7ffb688c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18445303482543285401,15285802766409259904,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5032 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 37f660dd4b6ddf23bc37f5c823d1c33a |
| SHA1 | 1c35538aa307a3e09d15519df6ace99674ae428b |
| SHA256 | 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8 |
| SHA512 | 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d |
\??\pipe\LOCAL\crashpad_3296_QRHCJFVXMLIFLHKT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d7cb450b1315c63b1d5d89d98ba22da5 |
| SHA1 | 694005cd9e1a4c54e0b83d0598a8a0c089df1556 |
| SHA256 | 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031 |
| SHA512 | df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 82ae17445d3d1c0a0f4c9500647bf217 |
| SHA1 | 42b2bed8a6eeeb7268c66a0d4554ff00cb741f9c |
| SHA256 | 2771ae153ca2e49674bb74f4c7b30815945da1f4bf0b86f4317060a8b5d44074 |
| SHA512 | d0d738fa0ca4c990431a3d6d82e9c89d1c877015a1b81fcf26a8c0cc68d3a913d596de1177b0415166af054adb98258ef70b3f90eb1cd6913a66662ef9e87a46 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 91a3d1ea36ce3d9de0ee5549a0b645d7 |
| SHA1 | b4a5a8c5489d5c39709521b029fdcc63cec2db2d |
| SHA256 | 3986bc133c04cee725693fb785cf0b55683635056a620ac2338d52af9b9ae76f |
| SHA512 | 7d66572132ce12aa37a36a73736bd4705b641f729cd2f86a390751390a162abb2fb42301b54f9ee2c81cd2e006594b2e1b44e108010179f13587232b8a81270b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f837ab251b699c5c82e051a3eaa53033 |
| SHA1 | c5f1045058dc49242a27704b1628c50b97baeadf |
| SHA256 | aa2c52e035b638584252ca0eeb12bed99177bfc304f797830b53ee03963e52f1 |
| SHA512 | 995d7a8543d09507261355ab078d4b875e34e6abbacecf547a2c6c8947ea75e3c8c95901a1850b32dca8998449fa30385e46053ea12a19dbd65428dbb2d4a182 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
160s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.77.123.92.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
130s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/local/bin/bash | N/A |
| N/A | N/A | /usr/sbin/bash | N/A |
| N/A | N/A | /usr/bin/bash | N/A |
| N/A | N/A | /sbin/bash | N/A |
| N/A | N/A | /bin/bash | N/A |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh | N/A |
| N/A | N/A | /usr/local/sbin/bash | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/local/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/local/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.1.91:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.15:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:52
Platform
debian9-armhf-20240611-en
Max time kernel
0s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2364 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win7-20240729-en
Max time kernel
133s
Max time network
132s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B772A421-BA7E-11EF-A641-5E10E05FA61A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0506a8c8b4edb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aef8dfd7e59b204fbe94e4c8d00efd5400000000020000000000106600000001000020000000ec478d6909dd7ad7ebfc1ee4a64b18f02d00a2c55e31e3401ce73e720c74f203000000000e80000000020000200000000626b82a2244ce940f1163e61d2303959d7eef0772c9a746976f2f61bec94f78200000001cb2ed48a7a83b0720f39c5ee98e6197937f851098a735af3e2f57fb3b0ad69340000000b6ddd1443ee7bffc1b19bcf8093a844a56adb3437d131907132516b69f1d5837d7d1c7fdf8222ae14f48ce94c1e6112b576f9a98c49162727155a72d023f5a55 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440385755" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aef8dfd7e59b204fbe94e4c8d00efd540000000002000000000010660000000100002000000079c2e397d93451874aa5cca614aeda07cee3cd0ff19f6236fc8df16af34bad0e000000000e80000000020000200000000d3951324677a73d94e8b794083b87aa723f446aa82c72c30eee51abeabbef6b900000009aa841737f265979d9f3f4fbdfd232c044e636765ca3212791e47334176440532c0d00369ffc3ad6ad80b15f44f06861b6232527e241bc1674af4a580498ad53ed15ec9fad54249ff39642ba2e29b3873377c880a6c0904249f5f578b70b5e9e844bcfa122ee2273581878a71c478bd4b41c4913e154f90bd0ba0c18e1c26cdeb7304fae2ddb18281606f6b3bed87e3040000000e33d00a8a509d0f612fc6a27c2fad9584c9891833a514cc8fe9a47e43a4e7140db6eb17479d53cfb26ecf14aab9477a90ce022e69be09fb3249913831be72799 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1172 wrote to memory of 2000 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1172 wrote to memory of 2000 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1172 wrote to memory of 2000 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1172 wrote to memory of 2000 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabB82B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB89B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 405787c88ece0d6bc72dab4c635fd92a |
| SHA1 | c1e043a70d149ca518c5054a4ad22f2d4f352617 |
| SHA256 | bca1fc0746f0d589722c52717bf987cb8fe110432f89ff89a4718cc76f6ff9be |
| SHA512 | 37a0461cbd8471999b3d05174f9db78afabb2a966af1867b7dfb401b4003ad326fb6b6b9f1b8df4a8f07f0d36ac6a7667d0fae79d135457710c101245f842cad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e02e1c44483a47739715649b7655c2b |
| SHA1 | 9b9a55ef8b649989cc49195c6d05e1eb4c1a16d0 |
| SHA256 | 132cc5696f134498c2c6943cbd530b4a9d09573b1d32518b169a973626d7e512 |
| SHA512 | d4c956e6c2baffb69bcf0e625b01311b29913c466669239c81ea0ff096e28632d142b6e1fd864e3d572be914148ce5c4f4007d77fb33cf4e8c6f75cb2919416f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3bfd721c41c8a6094750ee71fcf272b9 |
| SHA1 | 6ae75e6927ba71d06c1ec2f8601578702dcc040d |
| SHA256 | 5438b22b72a5bddcb5d3e0289bd41513c6fee01c26e3cdfdec6a8e17b88905ac |
| SHA512 | 883927e70cc6fbdb865cc3d5d047a9deaae85bcbe6d845a9d4937123cf877b3e5d7f38af086597de4c23ff98eebfa0ed06c99e378beb8f7d5876dcb4b6787c0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cb0a6a173b5a7bfbbbe2f927e34af48 |
| SHA1 | 3265800d86bf5175ab7ae84396415258103cea8a |
| SHA256 | 86ee1210ccab12898b44b28a409dd0994677de0dca03dc68b9a98d70d5398538 |
| SHA512 | 8a94a03a3952b959b85e29cd692c6131383762a60c9ec35e65787aea5c28ac362f92cbbf95e4a8aaeb0551d8726a5fb0d3a083cced22a154539b5b106b446eef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b53188c5dae473785abb0c4ead53ff68 |
| SHA1 | 6304e05bae8d637398168e39e72ed90b4ead2aa9 |
| SHA256 | aeaa3c7c006763f16136a09138bd22c3fe8656b5abc83bde18c62b555e4eeeed |
| SHA512 | 96bf54aaff8859aeaccd4fdae5feb37f41541226ede76e7c07237ffb85f3c6483a6ccdc248937c603e089cb31a60afc9ecf6fe02f32507a2890984063d906d65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 516e3043d711dda6fdbf192f8c41d124 |
| SHA1 | 7ae78329c3cffcebffa40f25b1d82d2e5afdfdcd |
| SHA256 | dfe75d1ab733874f99cdee3db30aa94510f80d48eb2d6cd9adc3fdbd7f658e95 |
| SHA512 | 2676e8e3784eef875a749dea3881b4aa952be97c98a55af01b5e13d99da24c6e8271f646bd6e787e2cfc1c43d28f24951f760212981d99511ce96652ddb71f5d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e81e8298c9c249a9798c21d176f587ad |
| SHA1 | 34c6454cb74bc3cef8e545ea963cdc8914758014 |
| SHA256 | a5c5db62bbbe5afac7f0decfd07dd50ef80bded77ea70490ff8fbca5e9b3e23d |
| SHA512 | 0261c0ad2f0326b4992bceeb160ba1433b5fc06be50366131088497bcbb7649e7178a8fee9e53f9f0be5413c51139edf25db06d49beed0572fa0b9b2fb005de4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62595c48d1f2e6618658f5adb9d2a303 |
| SHA1 | 3ec341a4afaabada80838ab486c08b1827853c4c |
| SHA256 | 25c5d131238fb096650a98b41d49daf3119d9297338c966a31be8850387e58dc |
| SHA512 | c9f39f2b23c8fe781846daf128a8fde30175d23b88894bad4aa43179fafbe3aff7f7ddf7089933d5925876472f69cd2f9d8048c778b63bea97efc0460079aa58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4720a7a3f5aaf4708bf4f3c950c19e52 |
| SHA1 | 388352095587bb08785943f25301d61e85a636be |
| SHA256 | 2edce86af72979a3deb72d2b198dd05ad6cf2dce0bf831d55828ec5c229038d9 |
| SHA512 | 7c82e39a5993f3e68a9f4f65b24dbc9d8f8e98ba2af6e4cd980ccd938d8f99516edcd60a93bb46b527d9feb343ece73a87c557dc1c0d65bd04c28aa9bf1b973c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1e36e730e9b250e2ed2969e3fa91040 |
| SHA1 | f8df76e14bc46be92a6cc69603ed77d7eecca735 |
| SHA256 | 6d0dbe9fa7075f786fdf6e9451303bc902fb121f8f20471445aad9f7f09c653d |
| SHA512 | b4edc65d1c52cff732a862596cee209a26fee233a84dfe40467b7830dee4eab40d3d0ce70c86535b64244ea3eddaa6cb5d2df38633ff0a5145aaa8b6acd7964c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d805120dc67221c44e89ea1b3aa38d51 |
| SHA1 | e0d2b27af968a9ab760f25aaf4ca4b24499238e0 |
| SHA256 | f3d791274f2ae6e244a8fb526fb102c5147501b17ba9e625d3f1e3f6f3d54b4d |
| SHA512 | 36ab33f8a047555e32a94e7d544e3606b1f221e0bfc996ff50af794ffd8fb53924dec63e1fb3efbe2718086912c535b7d733d618b08ebcc0e40998ee45b82721 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6890de1b26b1a2c8382934b96b73325a |
| SHA1 | 21065afeadbea4a972940e45774617163159d416 |
| SHA256 | 054532da4b19616444abdb47d95ed50371f1afba2761f9dd0874accdb0520e10 |
| SHA512 | 6a883f0b4c8c0580ae20e32f200bc41f95851e685307866551f4059c120b99fa6416443302455849d0b0c40fb680af071044a633afe5bf2c5f2db10aec54b8a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1207f5d85dada8702ea9a8c54bc382e2 |
| SHA1 | 5ea567fddf93a477d06e0e351ec23f9dff8cfade |
| SHA256 | 3486b18947c0c33608fec1385dc25ab332b3e8d5eee7e393ee7a8dc90a8412ab |
| SHA512 | 8a23c07ac8a9627486e0bf1b6a31aab9cf5eb2c562b61267a45e95860304935f5f87c5eaca832b035bbbb1f7da7032d3e2b760c3554d1b558a996a7a61a1e382 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bdc3fa3d0768148d1997f260b0469826 |
| SHA1 | 75c0cc30a49610b30e602ad8e7a570083112fca0 |
| SHA256 | 17bf6fa8f066c1088a21945ff13bde854a7241df05ddd8f01d7bfbb64266f920 |
| SHA512 | b29b1752c038c53fc458175d17acea07b2a731b2ad436e23b1cdf0f7ea2f2d55fcf86b17ad52e1f38b9568b4940345e07821bee988e6b11fd5d1e3e3b53f69db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94e58d2b8b789b69606668e8c06559c8 |
| SHA1 | 5181a548165997d087d234f16a2ffd7672b33850 |
| SHA256 | e183d65fc7707b529697949fc811a05e8f6f51edafac0fa7dd2389474370b674 |
| SHA512 | c6defb3edacf2e0b7cc0e0edd61f95b5f3b8b7488a8790da7e8d6534af8bddaee34f7c1b42a72e4ee48a49828aaa50be32b7cbe01ce44b22102c74a45d5cfaeb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37e0086747edd947ce26aac43331d47f |
| SHA1 | a9687c3d2b53153d50f1d28fe09453fa7537ef63 |
| SHA256 | 2d2a3adc5d99e7fffbdfcb97b0f02e99846f8d0cc7edbddbea309516d77b3ecc |
| SHA512 | a8bed9a056e6fd508dee3ece10475d36c9276489ada071f6874ab6cc991d86c5c1ac3855060200a6396c9a5bf78b34cd820255afbe1a672ce8e8144b765e7868 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e47269562fbf299bb8d7d6b61bf8d233 |
| SHA1 | d7f918747fce16e0ca36d3f41663ef4e8d1d678c |
| SHA256 | 632df4759a4aecf41c7e96ee3e3a6df50ccf16a4e86681e4e7320855407d9cc4 |
| SHA512 | 2ea068399a0f32d1e779ea0789116b5921b5504984a333ff8cea9461dc3309b15a67a837e6e0e678fdb1b37888675945631a2a66cfcce1d702a692bf757889a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc8e489b0c52be5ba561fafe71e61769 |
| SHA1 | 43f532808cde37f78ca7080c14113e7676aff18a |
| SHA256 | 524cf72c8c4781949ce82df13509fc79faefb4e43a0da2a94a636a84d18cf860 |
| SHA512 | 6203c05516fc94b6819e7aa861514ddcdb39f007e0f5dc4ed2b14ae930e3add4f2c2ffc945e6a0ec2e4991a1c912dd71ad5d5b8ebbe64270dfce30ffab2cb67e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6599ef70c3274135d56d180f6e849776 |
| SHA1 | c584e4ab281bb69ddd4a84405a47b251d26ba180 |
| SHA256 | f7128ee9e07024c852d57775d8a5f7b621f0e344170b1ae77b77dcbd97f24871 |
| SHA512 | 35da43fa5c065e214526ae82ee61c6c396ea6789c78d878673b5de261e5d0ee79ba588c274270ac9c568521e83ef9a5acf491efc0ddde4367d4cddc02f9fccc8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29d34ba91d047bba65e5d4a382555892 |
| SHA1 | 3785e7d72fbf65852ee08134cfde44a0c8b2a53a |
| SHA256 | 396806e63f912349ca271c2af1bd18ad8dd355b8f5de1085374a4a94ac66433d |
| SHA512 | b0f83c62c8c5fcb63f1f45d75c5503f81615a4459bdf8e4c2a3d715a0c3dc7095d3daf54ae6b4fa491588f3a25d179cea95dbb97216680fa529a718b6e3ef90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd333d7fbb290d3e7f55a51e716fb0c1 |
| SHA1 | 636583461168d03f9af8540c5e8e72d4bf0bc684 |
| SHA256 | 2990f1aa521b0f4fdc443bfe5a5f97866c0da9b8e39ac979d9ccad6fa57fe7e6 |
| SHA512 | 9df1965eb58eed8a002aacc127dd38a848399131de55af03a8b32d1315dd2c5f759510cd0e41a69abce0c78dd88af83771860d362601af95b20916f8d48d6314 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6676984cf5eb595c0fb25cb04f809fb2 |
| SHA1 | f654c5cf2d01d5deac685834b35a26812bca90f6 |
| SHA256 | 36b4ceb6dfef35bb99b8b0d82a127276ed81e85fac7f8ae967f6b93481830360 |
| SHA512 | 8c79cbad959719ae1a56484ed4cad8ef252b26fe5c475ddd0c5fdab1cd99cfb3311ea4907b38f4d12267d10330b642d341cd98357a6a421102597a4ccf54abe9 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
debian9-armhf-20240418-en
Max time kernel
0s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/bash | N/A |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh | N/A |
| N/A | N/A | /usr/local/sbin/bash | N/A |
| N/A | N/A | /usr/local/bin/bash | N/A |
| N/A | N/A | /usr/sbin/bash | N/A |
| N/A | N/A | /usr/bin/bash | N/A |
| N/A | N/A | /sbin/bash | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/local/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/local/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:51
Platform
ubuntu1804-amd64-20240729-en
Max time kernel
0s
Max time network
5s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 84.17.50.9:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:52
Platform
debian9-mipsbe-20240418-en
Max time kernel
0s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:53
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 212 wrote to memory of 3284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 212 wrote to memory of 3284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 212 wrote to memory of 3284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3284 -ip 3284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:55
Platform
debian9-mipsbe-20240729-en
Max time kernel
0s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/bash | N/A |
| N/A | N/A | /sbin/bash | N/A |
| N/A | N/A | /bin/bash | N/A |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh | N/A |
| N/A | N/A | /usr/local/sbin/bash | N/A |
| N/A | N/A | /usr/local/bin/bash | N/A |
| N/A | N/A | /usr/sbin/bash | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/local/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/local/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:53
Platform
win7-20240903-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsdCC64.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nsdCC64.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
\Users\Admin\AppData\Local\Temp\nsdCC64.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
\Users\Admin\AppData\Local\Temp\nsdCC64.tmp\nsDialogs.dll
| MD5 | 466179e1c8ee8a1ff5e4427dbb6c4a01 |
| SHA1 | eb607467009074278e4bd50c7eab400e95ae48f7 |
| SHA256 | 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172 |
| SHA512 | 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:53
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2448 wrote to memory of 388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2448 wrote to memory of 388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2448 wrote to memory of 388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 388 -ip 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe"
C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1712 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --mojo-platform-channel-handle=2236 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2264 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3332 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\alondrissa" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2452 --field-trial-handle=1716,i,7911226535340569180,9711313295858517515,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | npriv.boxmineworld.com | udp |
| US | 89.117.79.21:4009 | npriv.boxmineworld.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.79.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 216.58.214.174:443 | google.com | tcp |
| US | 89.117.79.21:4009 | npriv.boxmineworld.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 89.117.79.21:4009 | npriv.boxmineworld.com | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 89.117.79.21:4009 | npriv.boxmineworld.com | tcp |
| US | 89.117.79.21:4009 | npriv.boxmineworld.com | tcp |
| US | 89.117.79.21:4009 | npriv.boxmineworld.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 89.117.79.21:4009 | npriv.boxmineworld.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 174.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 185.150.189.243:26308 | tcp | |
| US | 8.8.8.8:53 | 164.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\920deb53-e4ea-4b96-8fa9-ccdea538003c.tmp.node
| MD5 | 3072b68e3c226aff39e6782d025f25a8 |
| SHA1 | cf559196d74fa490ac8ce192db222c9f5c5a006a |
| SHA256 | 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01 |
| SHA512 | 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61 |
C:\Users\Admin\AppData\Roaming\alondrissa\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\alondrissa\databases\Databases.db
| MD5 | ff72fbbfa28ddd9749c1bbb3ccc023cd |
| SHA1 | 96973105364068a65ec127005d37c674394a1b4a |
| SHA256 | da9904b09d2d6ca69086567449587836afa6c32127da6ba8c5c33482508cb003 |
| SHA512 | 06e1e770782603e7581b60076930842745a8d2be033115394d4f171e455b10b6fed16c622f7dde0479a63e4142d8cc6c52e0d1c12c324b5cdf637d29f19cc10e |
C:\Users\Admin\AppData\Roaming\alondrissa\Preferences
| MD5 | 58127c59cb9e1da127904c341d15372b |
| SHA1 | 62445484661d8036ce9788baeaba31d204e9a5fc |
| SHA256 | be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de |
| SHA512 | 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a |
C:\Users\Admin\AppData\Roaming\alondrissa\Preferences~RFe57bc6a.TMP
| MD5 | d11dedf80b85d8d9be3fec6bb292f64b |
| SHA1 | aab8783454819cd66ddf7871e887abdba138aef3 |
| SHA256 | 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67 |
| SHA512 | 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0 |
C:\Users\Admin\AppData\Roaming\alondrissa\databases\Databases.db
| MD5 | 427b942101760a6122340cc18761b70f |
| SHA1 | b21cf399e1c1594b3e6bbf2db91bdb9c73f74bf1 |
| SHA256 | 67a1b46ee9678a0147f5fe01bc11fc0de834efaa3aeb6248ea3f689600df080c |
| SHA512 | 0e3c900597836c6dcf735243ea9af0b17dc54c4e138fc0cc185f21325af6fd0424fc44fbb3a380d4f7fe4193071cbfd029849c8ace8ba4d10624c227b40540e6 |
C:\Users\Admin\AppData\Roaming\alondrissa\Network\Network Persistent State
| MD5 | 43ba6dba862fddaeddec755b25244fa4 |
| SHA1 | 2a9c55fc745f614f7d8f8d99d2f212518c5dcb33 |
| SHA256 | 66f6402798158ec2f0556a3a4af43188f89f50c67eee78ccfadaf7a749c6b21c |
| SHA512 | 978bba14a0dd0fd3f4c34f0a2d44f5dbe03976a647e031addfd01eacd7a925858db77563cc649ef72945004b8dfe4cbc81a7da775e698c3a050447d6199b41fa |
C:\Users\Admin\AppData\Roaming\alondrissa\Network\Network Persistent State~RFe58b0ec.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
memory/1088-122-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-121-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-120-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-126-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-128-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-132-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-131-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-130-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-129-0x000001451E020000-0x000001451E021000-memory.dmp
memory/1088-127-0x000001451E020000-0x000001451E021000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:53
Platform
win7-20240903-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win7-20240903-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\minecraft-java-core\node_modules\7zip-bin\index.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa-win-x64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\nsDialogs.dll
| MD5 | 466179e1c8ee8a1ff5e4427dbb6c4a01 |
| SHA1 | eb607467009074278e4bd50c7eab400e95ae48f7 |
| SHA256 | 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172 |
| SHA512 | 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 220
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:55
Platform
debian9-mipsel-20240226-en
Max time kernel
15s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /sbin/bash | N/A |
| N/A | N/A | /bin/bash | N/A |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh | N/A |
| N/A | N/A | /usr/local/sbin/bash | N/A |
| N/A | N/A | /usr/local/bin/bash | N/A |
| N/A | N/A | /usr/sbin/bash | N/A |
| N/A | N/A | /usr/bin/bash | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/local/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/local/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/usr/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/sbin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
/bin/bash
[bash /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/7x.sh]
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\minecraft-java-core\node_modules\7zip-bin\index.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:53
Platform
win7-20240729-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1744 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1744 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2888 -ip 2888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win7-20240903-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe
"C:\Users\Admin\AppData\Local\Temp\Alondrissa.exe"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win7-20240903-en
Max time kernel
122s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:54
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:55
Platform
debian9-armhf-20240611-en
Max time kernel
0s
Command Line
Signatures
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm/7za]
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-12-15 00:49
Reported
2024-12-15 00:53
Platform
debian9-mipsel-20240611-en
Max time kernel
0s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za | N/A |
Processes
/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za
[/tmp/resources/app.asar.unpacked/node_modules/minecraft-java-core/node_modules/7zip-bin/linux/arm64/7za]