Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample Name:	Setup.exe
Analysis ID:	694875
MD5:	a47b343c963dad673377364848549897
SHA1:	1faf9a21bf8dde2762ece37a1716f04664665b37
SHA256:	3d197e9b80ff2d1fb40dbbd2bacf0988a8e877986732dc39eadffaf6749df4dd
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Drops files with a non-matching file extension (content does not match file extension)

Queries the volume information (name, serial number etc) of a device

Drops PE files

Tries to load missing DLLs

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Queries keyboard layouts

Enables security privileges

PE file contains more sections than normal

Found dropped PE file which has not been started or loaded

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Enables debug privileges

Classification

Process Tree

System is w10x64native

Setup.exe (PID: 8032 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: A47B343C963DAD673377364848549897)

System.exe (PID: 372 cmdline: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe MD5: ACA468C6E2E01F3698C5E3C79394FB57)

System.exe (PID: 5216 cmdline: "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: ACA468C6E2E01F3698C5E3C79394FB57)

cmd.exe (PID: 5092 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 5116 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

System.exe (PID: 808 cmdline: "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --mojo-platform-channel-handle=2080 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: ACA468C6E2E01F3698C5E3C79394FB57)

System.exe (PID: 2796 cmdline: "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=16024 --gpu-sub-system-id=1050155081 --gpu-revision=2 --gpu-driver-version=27.20.100.9415 --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2632 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: ACA468C6E2E01F3698C5E3C79394FB57)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Setup.exe

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for domain / URL

Source: superfuniestindianparty.rip

Virustotal: Detection: 12%

Perma Link

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\LICENSE.electron.txt

Jump to behavior

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo	Jump to behavior

Source: Joe Sandbox View

IP Address: 104.18.42.171 104.18.42.171

Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Setup.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: dns.quad9.netConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: unknown

DNS traffic detected: queries for: superfuniestindianparty.rip

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Process token adjusted: Security

Jump to behavior

Source: System.exe.1.dr

Static PE information: Number of sections : 12 > 10

Source: Setup.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --mojo-platform-channel-handle=2080 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=16024 --gpu-sub-system-id=1050155081 --gpu-revision=2 --gpu-driver-version=27.20.100.9415 --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2632 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --mojo-platform-channel-handle=2080 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=16024 --gpu-sub-system-id=1050155081 --gpu-revision=2 --gpu-driver-version=27.20.100.9415 --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2632 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:552:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:552:120:WilError_03

Source: C:\Windows\System32\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe

File created: C:\Users\user\AppData\Roaming\Game Installer

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsj4E21.tmp

Jump to behavior

Source: classification engine

Classification label: mal60.spyw.winEXE@14/93@3/3

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Setup.exe

Static file information: File size 62879521 > 1048576

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ffmpeg.dll.1.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.1.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.1.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.1.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll.1.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.1.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.1.dr	Static PE information: section name: .00cfg
Source: libEGL.dll0.1.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll0.1.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.1.dr	Static PE information: section name: _RDATA
Source: System.exe.1.dr	Static PE information: section name: .00cfg
Source: System.exe.1.dr	Static PE information: section name: .retplne
Source: System.exe.1.dr	Static PE information: section name: .rodata
Source: System.exe.1.dr	Static PE information: section name: CPADinfo
Source: System.exe.1.dr	Static PE information: section name: _RDATA
Source: vk_swiftshader.dll.1.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.1.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.1.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.1.dr	Static PE information: section name: _RDATA
Source: a504bfce-c13f-4050-bbc4-80150c37d231.tmp.node.9.dr	Static PE information: section name: .didat
Source: a504bfce-c13f-4050-bbc4-80150c37d231.tmp.node.9.dr	Static PE information: section name: .00cfg
Source: a504bfce-c13f-4050-bbc4-80150c37d231.tmp.node.9.dr	Static PE information: section name: _RDATA
Source: 7e239a60-0e4c-4af8-a9fc-84fafa2cf063.tmp.node.9.dr	Static PE information: section name: .didat
Source: 7e239a60-0e4c-4af8-a9fc-84fafa2cf063.tmp.node.9.dr	Static PE information: section name: .00cfg
Source: 7e239a60-0e4c-4af8-a9fc-84fafa2cf063.tmp.node.9.dr	Static PE information: section name: _RDATA

Source: d3dcompiler_47.dll.1.dr

Static PE information: 0xF3329C94 [Sat Apr 18 07:26:12 2099 UTC]

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File created: C:\Users\user\AppData\Local\Temp\a504bfce-c13f-4050-bbc4-80150c37d231.tmp.node			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File created: C:\Users\user\AppData\Local\Temp\7e239a60-0e4c-4af8-a9fc-84fafa2cf063.tmp.node			Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp4E90.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File created: C:\Users\user\AppData\Local\Temp\a504bfce-c13f-4050-bbc4-80150c37d231.tmp.node	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp4E90.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp4E90.tmp\StdUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File created: C:\Users\user\AppData\Local\Temp\7e239a60-0e4c-4af8-a9fc-84fafa2cf063.tmp.node	Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\LICENSE.electron.txt

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\resources\elevate.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File Volume queried: C:\Users\user FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File Volume queried: C:\Users\user FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo	Jump to behavior

Source: C:\Windows\System32\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "c:\users\user\appdata\local\temp\28ys8twmdrj2bwul41wsjegnzvo\system.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\game installer" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1524 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=plzserviceworker,sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "c:\users\user\appdata\local\temp\28ys8twmdrj2bwul41wsjegnzvo\system.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\game installer" --mojo-platform-channel-handle=2080 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=plzserviceworker,sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "c:\users\user\appdata\local\temp\28ys8twmdrj2bwul41wsjegnzvo\system.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=16024 --gpu-sub-system-id=1050155081 --gpu-revision=2 --gpu-driver-version=27.20.100.9415 --user-data-dir="c:\users\user\appdata\roaming\game installer" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaiaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=2632 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=plzserviceworker,sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "c:\users\user\appdata\local\temp\28ys8twmdrj2bwul41wsjegnzvo\system.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\game installer" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1524 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=plzserviceworker,sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "c:\users\user\appdata\local\temp\28ys8twmdrj2bwul41wsjegnzvo\system.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\game installer" --mojo-platform-channel-handle=2080 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=plzserviceworker,sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "c:\users\user\appdata\local\temp\28ys8twmdrj2bwul41wsjegnzvo\system.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=16024 --gpu-sub-system-id=1050155081 --gpu-revision=2 --gpu-driver-version=27.20.100.9415 --user-data-dir="c:\users\user\appdata\roaming\game installer" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaiaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=2632 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=plzserviceworker,sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --mojo-platform-channel-handle=2080 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Process created: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe "C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=16024 --gpu-sub-system-id=1050155081 --gpu-revision=2 --gpu-driver-version=27.20.100.9415 --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2632 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\resources VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\resources\app.asar VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data.bby	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies.bby	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bby	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bby	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	2 Process Discovery	Remote Services	1 Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	8%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\d3dcompiler_47.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\d3dcompiler_47.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\ffmpeg.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\libEGL.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\libGLESv2.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\resources\elevate.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\resources\elevate.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\swiftshader\libEGL.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\swiftshader\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\swiftshader\libGLESv2.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\swiftshader\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\vk_swiftshader.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\vk_swiftshader.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
chrome.cloudflare-dns.com	0%	Virustotal	Browse
dns.quad9.net	0%	Virustotal	Browse
superfuniestindianparty.rip	12%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://chrome.cloudflare-dns.com/dns-query	0%	Virustotal		Browse
https://dns.quad9.net/dns-query	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	104.18.42.171	true	false	0%, Virustotal, Browse	unknown
dns.quad9.net	149.112.112.112	true	false	0%, Virustotal, Browse	unknown
superfuniestindianparty.rip	unknown	unknown	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	0%, Virustotal, Browse	unknown
https://dns.quad9.net/dns-query	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	Setup.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.112.112.112	dns.quad9.net	United States		19281	QUAD9-AS-1US	false
104.18.42.171	chrome.cloudflare-dns.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.11.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694875
Start date and time:	2022-09-01 05:57:04 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Setup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.spyw.winEXE@14/93@3/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Changed system and user locale, location and keyboard layout to English - United States Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, CompPkgSrv.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.18.42.171	https://paper.li/41i0IyhsDU2LHUTTqmDaP/story/ap-ausdredge-VBjAsEzkfIUV7miNpzaCi	Get hash	malicious	Browse
	http://first-dating.top/js/push/p.js?u=ra9pd06&o=911nfyq&t=66&v=2	Get hash	malicious	Browse
	Construction Drawingcouncil@cityofparramatta.nsw.gov.au--830962-df.htm	Get hash	malicious	Browse
	http://107.172.76.136/topp.exe	Get hash	malicious	Browse
	Secured_angela.johnson_Audio_Message.htm	Get hash	malicious	Browse
	ACH_WIRE_REMITTANCE.xlsx	Get hash	malicious	Browse
	INV#48390122.docx	Get hash	malicious	Browse
	#U043e#U0440#U043a#U043e#U0441#U0442#U0430#U043d#U0432#U0440#U0430#U0431#U043e#U0442#U0435.xlsx	Get hash	malicious	Browse
	Paid EFT Invoices.xlsx	Get hash	malicious	Browse
	http://timetogof.at/vento/6523.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
chrome.cloudflare-dns.com	https://paper.li/41i0IyhsDU2LHUTTqmDaP/story/ap-ausdredge-VBjAsEzkfIUV7miNpzaCi	Get hash	malicious	Browse	104.18.42.171
	http://first-dating.top/js/push/p.js?u=ra9pd06&o=911nfyq&t=66&v=2	Get hash	malicious	Browse	104.18.42.171
	Fax_Doc.htm	Get hash	malicious	Browse	172.64.145.85
	Ferdium-win-Portable-6.0.0-x64.exe	Get hash	malicious	Browse	172.64.145.85
	Construction Drawingcouncil@cityofparramatta.nsw.gov.au--830962-df.htm	Get hash	malicious	Browse	104.18.42.171
	http://107.172.76.136/topp.exe	Get hash	malicious	Browse	104.18.42.171
	Secured_angela.johnson_Audio_Message.htm	Get hash	malicious	Browse	104.18.42.171
	ACH_WIRE_REMITTANCE.xlsx	Get hash	malicious	Browse	104.18.42.171
	INV#48390122.docx	Get hash	malicious	Browse	104.18.42.171
	GalacticFever.exe	Get hash	malicious	Browse	172.64.145.85
	https://nhs-sharepoint.simplesite.com/	Get hash	malicious	Browse	172.64.145.85
	https://theproduct-4you.com/us/sgaq/goketogum-onl1?bhu=spkfL6hnkZo2Z5xGxgK1Hn2fuSAE7PhhBjqZs4	Get hash	malicious	Browse	172.64.145.85
	#U043e#U0440#U043a#U043e#U0441#U0442#U0430#U043d#U0432#U0440#U0430#U0431#U043e#U0442#U0435.xlsx	Get hash	malicious	Browse	104.18.42.171
	orkostansocialclubfrom09.06.xlsx	Get hash	malicious	Browse	172.64.145.85
	Paid EFT Invoices.xlsx	Get hash	malicious	Browse	104.18.42.171
	http://timetogof.at/vento/6523.exe	Get hash	malicious	Browse	104.18.42.171
	https://esca4.app.goo.gl/xdBo2PZ5GZufaehJ6	Get hash	malicious	Browse	172.64.145.85
	https://raptorcapr.site/Alarm-Com-Api-Documentation	Get hash	malicious	Browse	172.64.145.85
	Allegato documento d'ordine.html	Get hash	malicious	Browse	172.64.145.85
	badstuff.ps1	Get hash	malicious	Browse	172.64.145.85

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	rpt1661216698_20220823.exe	Get hash	malicious	Browse	162.159.133.233
	MEAioSUhW1.exe	Get hash	malicious	Browse	188.114.97.3
	file.exe	Get hash	malicious	Browse	188.114.96.3
	Inquiry#8899006720220831.exe	Get hash	malicious	Browse	104.19.185.120
	http://tdsshark.xyz	Get hash	malicious	Browse	172.66.40.91
	tGQ9T8Athj.exe	Get hash	malicious	Browse	188.114.96.3
	20220823_77466465553654,pdf.exe	Get hash	malicious	Browse	162.159.129.233
	PI_#U7f8e#U91d1#U532f#U738728.84 (USD 40,257+5% #U7a05#Uff09.exe	Get hash	malicious	Browse	104.19.184.120
	file.exe	Get hash	malicious	Browse	172.67.202.54
	Product Inquiry.exe	Get hash	malicious	Browse	172.67.154.88
	Rk3R1RBX9x.exe	Get hash	malicious	Browse	188.114.96.3
	rl86XSdHhM.exe	Get hash	malicious	Browse	188.114.97.3
	M6r4CJqwMd.exe	Get hash	malicious	Browse	188.114.96.3
	arinzezx.exe	Get hash	malicious	Browse	104.19.184.120
	THN6clTA6P.exe	Get hash	malicious	Browse	104.21.68.165
	https://rfp-skytech.myportfolio.com/	Get hash	malicious	Browse	104.18.11.207
	INV_PackingL_202208031_0104.exe	Get hash	malicious	Browse	104.19.185.120
	fraiche_0831003.js	Get hash	malicious	Browse	162.159.135.233
	file.exe	Get hash	malicious	Browse	188.114.97.3
	PURCHASE ORDER.exe	Get hash	malicious	Browse	188.114.97.3
QUAD9-AS-1US	contactupdate.exe	Get hash	malicious	Browse	9.9.9.9
	http://www.sotuu.net/php/download.php?q=5ufoeUA&e=https://saojoaocentrohistorico.com.br/2mintunesmand/wealldidherekjhrfd/q7qPE/rforsha@s3gov.com	Get hash	malicious	Browse	9.9.9.9
	https://lacodoo-my.sharepoint.com/:o:/g/personal/davorin_kelenc_la-co_si/Egb2ztyp9yVDpnjQEuVL6LIBm9H_n-PxxnuE4pAnfN0cMg?e=6IGn6C	Get hash	malicious	Browse	9.9.9.9
	https://www.turnerdrake.com/blog/ct.ashx?id=1872b9a5-838a-40ec-a587-47c22c252c62&url=https://wq014i.codesandbox.io?dg=ZWxzLnJvZ2dlQGluZnJhYmVsLmJl	Get hash	malicious	Browse	9.9.9.9
	Payment Advice Note.xls	Get hash	malicious	Browse	9.9.9.9
	Invoice Copy.xlsx	Get hash	malicious	Browse	9.9.9.9
	0000281895.html	Get hash	malicious	Browse	9.9.9.9
	ImTip.7z	Get hash	malicious	Browse	9.9.9.9
	https://1drv.ms/o/s!BNifvYLRjxaZgT6yO_s7Od1eKKVO?e=Re-mxSsKOECUCPb51hI9ow&at=9	Get hash	malicious	Browse	9.9.9.9
	https://msg813.simplesite.com	Get hash	malicious	Browse	9.9.9.9
	https://wesharesfile.teamec.club/	Get hash	malicious	Browse	9.9.9.9
	https://wesharesfile.teamec.club/	Get hash	malicious	Browse	9.9.9.9
	PO 112846.pdf	Get hash	malicious	Browse	9.9.9.9
	iMapU.xlsm	Get hash	malicious	Browse	9.9.9.9
	GalacticFever.exe	Get hash	malicious	Browse	9.9.9.9
	https://tielearnnot.top:443	Get hash	malicious	Browse	9.9.9.9
	L1ld - Linkvertise Downloader_PE2-ku1.exe	Get hash	malicious	Browse	9.9.9.9
	https://aeindo.co.id/cvt/	Get hash	malicious	Browse	9.9.9.9
	http://dzh.ylfjso.top	Get hash	malicious	Browse	9.9.9.9
	Proforma invoice 702401.url	Get hash	malicious	Browse	9.9.9.9

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\d3dcompiler_47.dll	GalacticFever.exe	Get hash	malicious	Browse
	Bloom.7z	Get hash	malicious	Browse
	AsanaSetup.exe	Get hash	malicious	Browse
	6DNTEUx66h.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.MulDropNET.43.26999.exe	Get hash	malicious	Browse
	InstallSlack.exe	Get hash	malicious	Browse
	YouTube To Mp4 Converter.exe	Get hash	malicious	Browse
	YouTube To Mp4 Converter.exe	Get hash	malicious	Browse
	Dante.7z.exe	Get hash	malicious	Browse
	winpro.exe	Get hash	malicious	Browse

Process:	C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe
File Type:	data
Category:	dropped
Size (bytes):	65552
Entropy (8bit):	0.020373530227265995
Encrypted:	false
SSDEEP:	3:PVYlGlll/l/lXp9ZjXslAyUg0PBYGGJDASPllfllL/mRl/+tDX5/Pll:P+0NspUg0PBYGA7/eEh
MD5:	51CFBD885984576E8ADBAB19850C1413
SHA1:	B681998E798A6308D7F8C1F7DCD77146BE7FC53F
SHA-256:	5B5444534C2165ED28EE37A8FF2DA61867FD6263AFF79EECD18C615F5C830EA2
SHA-512:	0E735B90812050858404F0A32840E66640B89862C3F0DE3DDD2435C283BFFF27AC5E5E7D73704E84DBEC36AA98789A157CB0524F90516497717439E2A35338F7
Malicious:	false
Preview:	y.q.........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	5.13006727705212
Encrypted:	false
SSDEEP:	24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
MD5:	4D42118D35941E0F664DDDBD83F633C5
SHA1:	2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
SHA-256:	5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
SHA-512:	3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
Malicious:	false
Preview:	Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9999868273341965
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	62879521
MD5:	a47b343c963dad673377364848549897
SHA1:	1faf9a21bf8dde2762ece37a1716f04664665b37
SHA256:	3d197e9b80ff2d1fb40dbbd2bacf0988a8e877986732dc39eadffaf6749df4dd
SHA512:	b0a41a46195e72382b7405b19f6296a36a04eed10804f10c29713b63975689052f2e2152cf54f2c3cec5a0d9c10f9dfcd1590a435c995aa64dbd401635fe7912
SSDEEP:	1572864:/47pmXsV8hGNGf+dB8CDtN8XJ16V1dp2w0ufNADMsO8Atf7:Ms8VKGo+b8CDtN8+L2w0uFPp7
TLSH:	08D7337477A08A37C0A7EB34617E4903528A29827EFA70C63B6CD6CDAD97C433B45974
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@.

Entrypoint:	0x40338f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F86 [Sat Dec 15 22:26:14 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10b000	0x2c60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6627	0x6800	False	0.6646259014423077	data	6.450282348506287	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a2	0x1600	False	0.4405184659090909	data	5.025178929113415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x70ff8	0x600	False	0.5182291666666666	data	4.037117731448378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7b000	0x90000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10b000	0x2c60	0x2e00	False	0.825577445652174	data	7.281830806447493	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x10b1d8	0x22b5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_DIALOG	0x10d490	0x100	data	English	United States
RT_DIALOG	0x10d590	0xf8	data	English	United States
RT_DIALOG	0x10d688	0x60	data	English	United States
RT_GROUP_ICON	0x10d6e8	0x14	data	English	United States
RT_VERSION	0x10d700	0x21c	data	English	United States
RT_MANIFEST	0x10d920	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 06:00:35.642591953 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.642666101 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.643064976 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.643147945 CEST	443	49805	149.112.112.112	192.168.11.20
Sep 1, 2022 06:00:35.643616915 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.643620014 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.644143105 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.644202948 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.644800901 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.644866943 CEST	443	49805	149.112.112.112	192.168.11.20
Sep 1, 2022 06:00:35.676429987 CEST	443	49805	149.112.112.112	192.168.11.20
Sep 1, 2022 06:00:35.677054882 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.680108070 CEST	443	49805	149.112.112.112	192.168.11.20
Sep 1, 2022 06:00:35.680310011 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.684287071 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.684760094 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.684782982 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.686645985 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.686873913 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.719832897 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.760473967 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.760538101 CEST	443	49805	149.112.112.112	192.168.11.20
Sep 1, 2022 06:00:35.760699034 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.760709047 CEST	443	49805	149.112.112.112	192.168.11.20
Sep 1, 2022 06:00:35.760817051 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.760909081 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.761049986 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.761055946 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.807630062 CEST	443	49805	149.112.112.112	192.168.11.20
Sep 1, 2022 06:00:35.807782888 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.808406115 CEST	49805	443	192.168.11.20	149.112.112.112
Sep 1, 2022 06:00:35.808420897 CEST	443	49805	149.112.112.112	192.168.11.20
Sep 1, 2022 06:00:35.813591957 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.813606977 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.814238071 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.814377069 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.814405918 CEST	443	49804	104.18.42.171	192.168.11.20
Sep 1, 2022 06:00:35.814533949 CEST	49804	443	192.168.11.20	104.18.42.171
Sep 1, 2022 06:00:35.814546108 CEST	49804	443	192.168.11.20	104.18.42.171

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 06:00:04.848031998 CEST	64221	53	192.168.11.20	1.1.1.1
Sep 1, 2022 06:00:05.004755020 CEST	53	64221	1.1.1.1	192.168.11.20
Sep 1, 2022 06:00:35.627748966 CEST	65066	53	192.168.11.20	1.1.1.1
Sep 1, 2022 06:00:35.628541946 CEST	57074	53	192.168.11.20	1.1.1.1
Sep 1, 2022 06:00:35.636617899 CEST	53	65066	1.1.1.1	192.168.11.20
Sep 1, 2022 06:00:35.637376070 CEST	53	57074	1.1.1.1	192.168.11.20

Timestamp	kBytes transferred	Direction	Data
2022-09-01 04:00:35 UTC	0	OUT	POST /dns-query HTTP/1.1 Host: dns.quad9.net Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2022-09-01 04:00:35 UTC	0	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2022-09-01 04:00:35 UTC	1	IN	HTTP/1.1 200 OK Date: Thu, 01 Sep 2022 04:00:35 GMT Connection: close Content-Length: 60 Server: h2o/dnsdist content-type: application/dns-message cache-control: max-age=167
2022-09-01 04:00:35 UTC	1	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 a7 00 04 ac d9 a8 43 00 00 29 04 d0 00 00 00 00 00 00 Data Ascii: wwwgstaticcomC)

Timestamp	Direction	Data
2022-09-01 04:00:35 UTC	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2022-09-01 04:00:35 UTC	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2022-09-01 04:00:35 UTC	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 01 Sep 2022 04:00:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 743b198f8f399a09-FRA
2022-09-01 04:00:35 UTC	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 87 00 04 8e fa b8 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)

Target ID:	1
Start time:	05:59:00
Start date:	01/09/2022
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	62879521 bytes
MD5 hash:	A47B343C963DAD673377364848549897
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	9
Start time:	05:59:35
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe
Imagebase:	0x7ff7eeca0000
File size:	146324992 bytes
MD5 hash:	ACA468C6E2E01F3698C5E3C79394FB57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 3%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Target ID:	13
Start time:	06:00:05
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Imagebase:	0x7ff7eeca0000
File size:	146324992 bytes
MD5 hash:	ACA468C6E2E01F3698C5E3C79394FB57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	18
Start time:	06:00:18
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --mojo-platform-channel-handle=2080 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Imagebase:	0x7ff7eeca0000
File size:	146324992 bytes
MD5 hash:	ACA468C6E2E01F3698C5E3C79394FB57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	20
Start time:	06:02:05
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=16024 --gpu-sub-system-id=1050155081 --gpu-revision=2 --gpu-driver-version=27.20.100.9415 --user-data-dir="C:\Users\user\AppData\Roaming\Game Installer" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2632 --field-trial-handle=1624,11055175116320894089,15330204900087283469,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Imagebase:	0x7ff7eeca0000
File size:	146324992 bytes
MD5 hash:	ACA468C6E2E01F3698C5E3C79394FB57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\58b32cb0d51bbf24\6F75932F-7DFC-4FB0-B4B8-12DE1AC415DA_VEN_8086&DEV_3E98&SUBSYS_3E98&REV_2.idx

C:\Users\user\AppData\Local\D3DSCache\58b32cb0d51bbf24\6F75932F-7DFC-4FB0-B4B8-12DE1AC415DA_VEN_8086&DEV_3E98&SUBSYS_3E98&REV_2.lock

C:\Users\user\AppData\Local\D3DSCache\58b32cb0d51bbf24\6F75932F-7DFC-4FB0-B4B8-12DE1AC415DA_VEN_8086&DEV_3E98&SUBSYS_3E98&REV_2.val

C:\Users\user\AppData\Local\D3DSCache\58b32cb0d51bbf24\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

C:\Users\user\AppData\Local\D3DSCache\58b32cb0d51bbf24\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

C:\Users\user\AppData\Local\D3DSCache\58b32cb0d51bbf24\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies.bby

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bby

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bby

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cookies.bby

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data.bby

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data.bby

C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\LICENSE.electron.txt

C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\LICENSES.chromium.html

C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\System.exe

C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\chrome_100_percent.pak

C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\chrome_200_percent.pak

C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\d3dcompiler_47.dll

C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\ffmpeg.dll

C:\Users\user\AppData\Local\Temp\28YS8twMdrJ2BWUL41WSjEgnZVo\icudtl.dat

Windows Analysis Report
Setup.exe

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre